Subject: Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)
From: Torsten Neuer (tneuer@inwise.de)
Date: Mon Sep 04 2000 - 02:12:33 PDT
Manuel Lemos wrote:
>
> Hello Torsten,
>
> On 04-Sep-00 05:41:02, you wrote:
>
> >> application: PHP interface to ht://Dig 2000.09.03
> >> author: Manuel Lemos <mlemos@acm.org>
> >> license: freely distributable
> >> category: Web/Development
> >>
> >> homepage: http://freshmeat.net/redir/homepage/968017154/
> >> download: http://freshmeat.net/redir/download/968017154/
>
> >At first glance, I would say that there is a possible security hole
> >in this class since the htsearch parameters are not shell-escapes.
> >This could allow the execution of arbitrary commands.
>
> I'm not sure how that may happen because the search words, eventually
> passed as submitted form values, are URLEncoded and then passed to htsearch
> in the QUERY_STRING environment variable. I wonder if URLEncoding would
> not prevent all possible attacks.
Hmm.. I think it will prevent most possible attacks, but not all.
One reason for this is, that shell-escaping is platform dependant and
therefore
must be handled differently on different OS platforms by the scripting
engine
whereas URLencoding is not platform dependant.
cheers,
Torsten
-- InWise - Wirtschaftlich-Wissenschaftlicher Internet Service GmbH Waldhofstraße 14 Tel: +49-4101-403605 D-25474 Ellerbek Fax: +49-4101-403606 E-Mail: info@inwise.de Internet: http://www.inwise.de------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this. List archives: <http://www.htdig.org/mail/menu.html> FAQ: <http://www.htdig.org/FAQ.html>
This archive was generated by hypermail 2b28 : Mon Sep 04 2000 - 02:15:06 PDT