Overview
A cross site scripting (XSS) vulnerability exists in the login page for all versions of Urchin 5 up to and including 5.703.
Impact on Urchin Customers
This vulnerability can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of the site running Urchin.
Mitigation
A fix is available in the form of a drop-in replacement for the Urchin template file that contains the vulnerability. ZIP packages that contain the updated template file and installation instructions are available from download.urchin.com as:
-
UNIX-type systems (FreeBSD, IRIX, Linux, MacOS-X, Solaris)
http://download.urchin.com/support/Urchin5703_template_update_nonwin.zip
Windows
http://download.urchin.com/support/Urchin5703_template_update_win.zip
Side Effect of Fix
Though this fix does not in any way affect the core functionality or accuracy of Urchin 5, it does introduce a slight session-specific behavioral change to the product. Previously, Urchin 5 would remember the Urchin screen that a user was on and would restore the user to that screen after a session timeout. After applying the fix, Urchin will no longer restore users back to the current Urchin screen; users will be taken to the default profile view landing page instead.