[htdig] Security and access for privat websites


Subject: [htdig] Security and access for privat websites
From: Andreas Vogt (a_vogt@gaia.de)
Date: Sun May 21 2000 - 17:00:00 PDT


Hi everybody,

our website is parted in public and privat subnet.

Now, I set up htdig with two different confs. So public parts can be
searched by htdig, and also private parts by different databases.

The private search.html is protected by .htaccess and "require user...".

But as /cgi-bin/htserach is executable by any webclient (for working with
the public search database), anybody can use it with the private config by
typing "config=htdig.privat" in the URL by hand.

Of course, a "spy" has to know the name of the private config file. But I
think, you can guess it, or worse: members of the private section, who
aren't privileged any longer by changing the password, can access it
easily.

So, how can I protect htsearch from being abused by typing in another
config in the URL?

Bye
Andreas

------------------------------------
To unsubscribe from the htdig mailing list, send a message to
htdig-unsubscribe@htdig.org
You will receive a message to confirm this.



This archive was generated by hypermail 2b28 : Mon May 22 2000 - 00:30:15 PDT