Subject: Re: [htdig] security hole (was: Including Pull-Down Menu Pages)
From: Gilles Detillieux (grdetil@scrc.umanitoba.ca)
Date: Fri Sep 22 2000 - 09:45:53 PDT
According to Douglas Kline:
> Pursuant to your suggestion, we have installed v. 3.1.5. The only reference to
> an improvement in security of this version over v, 3.1.1 in the Release Notes
> to which you give Web page reference is:
>
> Fixed a nasty security hole in htsearch, which would allow users to view any
> file on your site that had read permission.
>
> I would like to ask whether this security hole applies to all installations of
> ht-Dig v. 3.1.1 and, if not, how one can determine if it applies to a
> particular installation. It isn't clear to me how a user could use htsearch to
> view files which aren't Web pages which are indexed by the search engine's
> database. This is of concern because there are other installations of ht-Dig
> v.3.1.1 at this institution and we need to evaluate their security.
This is explained in more detail in the FAQ, and the advisory which the
FAQ points to. See http://www.htdig.org/FAQ.html#q2.1
-- Gilles R. Detillieux E-mail: <grdetil@scrc.umanitoba.ca> Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil Dept. Physiology, U. of Manitoba Phone: (204)789-3766 Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this. List archives: <http://www.htdig.org/mail/menu.html> FAQ: <http://www.htdig.org/FAQ.html>
This archive was generated by hypermail 2b28 : Fri Sep 22 2000 - 09:49:03 PDT