Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)

Subject: Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)
From: Torsten Neuer (tneuer@inwise.de)
Date: Mon Sep 04 2000 - 01:41:02 PDT

• Next message: Torsten Neuer: "Re: [htdig] Re: results.php"
• Previous message: Manuel Lemos: "[htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• In reply to: Manuel Lemos: "[htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• Next in thread: Manuel Lemos: "Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• Reply: Torsten Neuer: "Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• Reply: Manuel Lemos: "Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Manuel Lemos wrote:
>
> application: PHP interface to ht://Dig 2000.09.03
> author: Manuel Lemos <mlemos@acm.org>
> license: freely distributable
> category: Web/Development
>
> homepage: http://freshmeat.net/redir/homepage/968017154/
> download: http://freshmeat.net/redir/download/968017154/

At first glance, I would say that there is a possible security hole
in this class since the htsearch parameters are not shell-escapes.
This could allow the execution of arbitrary commands.

cheers,

  Torsten

-- 
InWise - Wirtschaftlich-Wissenschaftlicher Internet Service GmbH
Waldhofstraße 14                            Tel: +49-4101-403605
D-25474 Ellerbek                            Fax: +49-4101-403606
E-Mail: info@inwise.de            Internet: http://www.inwise.de
------------------------------------
To unsubscribe from the htdig mailing list, send a message to
htdig-unsubscribe@htdig.org
You will receive a message to confirm this.
List archives:  <http://www.htdig.org/mail/menu.html>
FAQ:            <http://www.htdig.org/FAQ.html>

• Next message: Torsten Neuer: "Re: [htdig] Re: results.php"
• Previous message: Manuel Lemos: "[htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• In reply to: Manuel Lemos: "[htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• Next in thread: Manuel Lemos: "Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• Reply: Torsten Neuer: "Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• Reply: Manuel Lemos: "Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Mon Sep 04 2000 - 01:43:38 PDT