Subject: Re: [htdig] Search engine for private page
From: Stephane Bortzmeyer (firstname.lastname@example.org)
Date: Wed Oct 25 2000 - 08:32:25 PDT
On Wednesday 25 October 2000, at 11 h 12, the keyboard of Geoff Hutchison
> > As I understand it, there is no real security here: anyone can setup a
> > form in a Web page which will call htsearch (not htsearch.pr) and this
> > htsearch will be able to read the configuration file for the private
> > database?
> No, not really. But the form would be protected by password too, right?
*My* form but anybody on the Net can write a similar form, just using htsearch
and not htsearch.pr as its action. (It is a very common attack against Web
servers whose only protection is in the hidden fields of a form.)
> If you want something more secure, you'd have to compile htsearch again,
> setting a different DEFAULT_CONFIG_DIR, which would prevent the other
> htsearch form entering that directory.
> But as a side note, remember that if all of this is using HTTP instead of
> HTTPS, a simple snooping attack will grab your passwords.
Right. But all connections to the internal database are from the local network, which restricts the set of possible attackers.
To unsubscribe from the htdig mailing list, send a message to
You will receive a message to confirm this.
List archives: <http://www.htdig.org/mail/menu.html>
This archive was generated by hypermail 2b28 : Wed Oct 25 2000 - 08:38:13 PDT