Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)


Subject: Re: [htdig] PHP interface to ht://Dig 2000.09.03 - ht://Dig indexing and searching Web pages engine interface from PHP. (fwd)
From: Manuel Lemos (mlemos@acm.org)
Date: Mon Sep 04 2000 - 15:32:47 PDT


Hello Torsten,

On 04-Sep-00 06:12:33, you wrote:

>> >> application: PHP interface to ht://Dig 2000.09.03
>> >> author: Manuel Lemos <mlemos@acm.org>
>> >> license: freely distributable
>> >> category: Web/Development
>> >>
>> >> homepage: http://freshmeat.net/redir/homepage/968017154/
>> >> download: http://freshmeat.net/redir/download/968017154/
>>
>> >At first glance, I would say that there is a possible security hole
>> >in this class since the htsearch parameters are not shell-escapes.
>> >This could allow the execution of arbitrary commands.
>>
>> I'm not sure how that may happen because the search words, eventually
>> passed as submitted form values, are URLEncoded and then passed to htsearch
>> in the QUERY_STRING environment variable. I wonder if URLEncoding would
>> not prevent all possible attacks.

>Hmm.. I think it will prevent most possible attacks, but not all.
>One reason for this is, that shell-escaping is platform dependant and
>therefore
>must be handled differently on different OS platforms by the scripting
>engine
>whereas URLencoding is not platform dependant.

I guess you are right. I may add shell escaping, but now I'm not sure
what should be escaped. I have something like:

Exec("QUERY_STRING=\"words=".UrlEncode($text)."\" /usr/local/htdig/cgi-bin/htsearch ");

I wonder if just escaping the result or UrlEncode call would do. What do you think?

Regards,
Manuel Lemos

Web Programming Components using PHP Classes.
Look at: mlemos@acm.org">http://phpclasses.UpperDesign.com/?user=mlemos@acm.org

--
E-mail: mlemos@acm.org
URL: http://www.mlemos.e-na.net/
PGP key: http://www.mlemos.e-na.net/ManuelLemos.pgp
--

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this. List archives: <http://www.htdig.org/mail/menu.html> FAQ: <http://www.htdig.org/FAQ.html>



This archive was generated by hypermail 2b28 : Mon Sep 04 2000 - 20:19:36 PDT