Just incase any of you out there use iHTML...
Quote:
Dear Inline/iHTML User,
It has come to our attention that by using Google
it is possible to get database login information in
mainly older versions of the iHTML Merchant. This
could affect any iHTML based site though that uses
iERROR and i_errordetail in the iERROR tag.
The following course of action is HIGHLY recommended.
1. block out the values of the DBNAME and LOGIN directive in your
error messages. This can be done like this (you need iHTML
Enterprise) as basically the first thing in the iERROR block
NEWTEXT=`DBNAME="[ removed ]"` OUTVAR="i_errordetail">
NEWTEXT=`LOGIN="[ removed ]"` OUTVAR="i_errordetail">
2. Change your database user/pass IMMEDIATELY. You can check google
to see if you are exposed by doing this in Google
"dbname" filetype:ihtml intext:LOGIN inline.net
(replace inline.net with your domain)
You can get updated errorblock.inc files for the merchant at
ftp://ftp.inline.net/public/client/s...errorblock.inc
(same file works in 2.0 as 2.5 and mall)
If you are running an older version of the iHTML Merchant, upgrades
to the latest version are free and also recommended.
To unsubscribe from getting these emails from Inline, go to the myiHTML
(http://www.ihtml.com/myihtml) system. All users have an account and
you can have the system automatically email you the user/pass at the
above link.
Russ Cobbe, President
Inline Internet Systems, Inc.
Mississauga & Niagara Canada
1-905-680-0436x211 http://www.inline.net
Providing Comprehensive E-Business Solutions
|
