Re: [htdig] security hole (was: Including Pull-Down Menu Pages)


Subject: Re: [htdig] security hole (was: Including Pull-Down Menu Pages)
From: Gilles Detillieux (grdetil@scrc.umanitoba.ca)
Date: Fri Sep 22 2000 - 09:45:53 PDT


According to Douglas Kline:
> Pursuant to your suggestion, we have installed v. 3.1.5. The only reference to
> an improvement in security of this version over v, 3.1.1 in the Release Notes
> to which you give Web page reference is:
>
> Fixed a nasty security hole in htsearch, which would allow users to view any
> file on your site that had read permission.
>
> I would like to ask whether this security hole applies to all installations of
> ht-Dig v. 3.1.1 and, if not, how one can determine if it applies to a
> particular installation. It isn't clear to me how a user could use htsearch to
> view files which aren't Web pages which are indexed by the search engine's
> database. This is of concern because there are other installations of ht-Dig
> v.3.1.1 at this institution and we need to evaluate their security.

This is explained in more detail in the FAQ, and the advisory which the
FAQ points to. See http://www.htdig.org/FAQ.html#q2.1

-- 
Gilles R. Detillieux              E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this. List archives: <http://www.htdig.org/mail/menu.html> FAQ: <http://www.htdig.org/FAQ.html>



This archive was generated by hypermail 2b28 : Fri Sep 22 2000 - 09:49:03 PDT