Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)


Subject: Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)
From: Manuel Lemos (mlemos@acm.org)
Date: Mon Sep 04 2000 - 01:46:33 PDT


Hello Torsten,

On 04-Sep-00 05:41:02, you wrote:

>> application: PHP interface to ht://Dig 2000.09.03
>> author: Manuel Lemos <mlemos@acm.org>
>> license: freely distributable
>> category: Web/Development
>>
>> homepage: http://freshmeat.net/redir/homepage/968017154/
>> download: http://freshmeat.net/redir/download/968017154/

>At first glance, I would say that there is a possible security hole
>in this class since the htsearch parameters are not shell-escapes.
>This could allow the execution of arbitrary commands.

I'm not sure how that may happen because the search words, eventually
passed as submitted form values, are URLEncoded and then passed to htsearch
in the QUERY_STRING environment variable. I wonder if URLEncoding would
not prevent all possible attacks.

Regards,
Manuel Lemos

Web Programming Components using PHP Classes.
Look at: mlemos@acm.org">http://phpclasses.UpperDesign.com/?user=mlemos@acm.org

--
E-mail: mlemos@acm.org
URL: http://www.mlemos.e-na.net/
PGP key: http://www.mlemos.e-na.net/ManuelLemos.pgp
--

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this. List archives: <http://www.htdig.org/mail/menu.html> FAQ: <http://www.htdig.org/FAQ.html>



This archive was generated by hypermail 2b28 : Mon Sep 04 2000 - 01:54:01 PDT