[NPL] Frontier 5: Process Macros Security Hole Closed
)From UserLand Software at:
(http://www.scripting.com/frontier5/security/processMacros.html):
Frontier 5: Process Macros Security Hole Closed
January 13, 1999
This afternoon we discovered a security hole in html.processMacros.
There are special cases where a macro in curly braces that's not
supposed to be run would be run.
Level of exposure
Very high, for affected systems.
Who needs this fix?
Anyone running Frontier as a web server or as a web scripting environment
with user-accessible interfaces to the website framework.
What versions are affected?
All versions of Frontier to include a website framework, from 4.x on up.
How to install
If you're running Frontier 5.1.5, choose Update Frontier from the Main
menu to get the update from support.userland.com.
If you're running the Trial version of 5.1.5, or an earlier version of
5.1, this is a fat page containing the new version of html.processMacros.
Save the source of this page to a local disk, and choose the Open command
from Frontier's File menu. Click on OK to all confirmation dialogs.
Control-S or Cmd-S to save changes.
If you're running Frontier 5.0.1, you can download a Macintosh binhex or
Windows zip version of html.processMacros that includes the fix.
If you're using Frontier 4.2.3, you can download a fix.
If you're using an earlier version of Frontier, you can fix it manually.
Jump to html.processMacros. Under the "on processMacros (s)" line, create
a new line, indented. This new line should read:
s = string.replaceAll (s, "\\{", "{")