Re: [htdig] security hole (was: Including Pull-Down Menu Pages)

Subject: Re: [htdig] security hole (was: Including Pull-Down Menu Pages)
From: Gilles Detillieux (
Date: Fri Sep 22 2000 - 09:45:53 PDT

According to Douglas Kline:
> Pursuant to your suggestion, we have installed v. 3.1.5. The only reference to
> an improvement in security of this version over v, 3.1.1 in the Release Notes
> to which you give Web page reference is:
> Fixed a nasty security hole in htsearch, which would allow users to view any
> file on your site that had read permission.
> I would like to ask whether this security hole applies to all installations of
> ht-Dig v. 3.1.1 and, if not, how one can determine if it applies to a
> particular installation. It isn't clear to me how a user could use htsearch to
> view files which aren't Web pages which are indexed by the search engine's
> database. This is of concern because there are other installations of ht-Dig
> v.3.1.1 at this institution and we need to evaluate their security.

This is explained in more detail in the FAQ, and the advisory which the
FAQ points to. See

Gilles R. Detillieux              E-mail: <>
Spinal Cord Research Centre       WWW:
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930

------------------------------------ To unsubscribe from the htdig mailing list, send a message to You will receive a message to confirm this. List archives: <> FAQ: <>

This archive was generated by hypermail 2b28 : Fri Sep 22 2000 - 09:49:03 PDT