https://www.exploit-db.com/exploits/21706
https://www.securityfocus.com/bid/89480
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200209-012

Interchange是一套电子商务和应用服务器系统。该系统可用于构建一个基于数据库的Web服务器以及在线应用。Interchange4.8.5以及更低版本中存在一个安全漏洞，当它运行在”INETmode”方式时，允许攻击者读取任意Interchange进程有权读取的文件，这可能泄漏给攻击者一些敏感信息，攻击者可能利用这些信息发动进一步攻击。

source: http://www.securityfocus.com/bid/5453/info

A vulnerability has been reported for Interchange 4.8.5 and earlier. Reportedly, Interchange may disclose contents of files to attackers.

The vulnerability occurs due to the placement of the 'doc' folder. Reportedly, the folder will be installed as follows: <INTERCHANGE_ROOT>/doc. This folder, by default, contains Interchange man pages. This vulnerability is only exploitable when the Interchange service runs in INET (Internet service) mode.

An attacker may exploit this vulnerability to the contents of restricted files accessible to the Interchange process.

It has been reported that this issue may be exploited through a '../' directory traversal sequence in a HTTP request to the vulnerable server.

http://www.domain.com:7786/../../../../../../../../../etc/passwd

Redhat Interchange 4.8.5

Redhat Interchange 4.8.4

Redhat Interchange 4.8.3

+

Debian Linux 3.0

Redhat Interchange 4.8.2

Redhat Interchange

来源:DEBIAN
名称:DSA-150
链接:http://www.debian.org/security/2002/dsa-150