Re: [htdig] Search engine for private page


Subject: Re: [htdig] Search engine for private page
From: Stephane Bortzmeyer (bortzmeyer@pasteur.fr)
Date: Wed Oct 25 2000 - 08:32:25 PDT


On Wednesday 25 October 2000, at 11 h 12, the keyboard of Geoff Hutchison
<ghutchis@wso.williams.edu> wrote:

> > As I understand it, there is no real security here: anyone can setup a
> > form in a Web page which will call htsearch (not htsearch.pr) and this
> > htsearch will be able to read the configuration file for the private
> > database?
>
> No, not really. But the form would be protected by password too, right?

*My* form but anybody on the Net can write a similar form, just using htsearch
and not htsearch.pr as its action. (It is a very common attack against Web
servers whose only protection is in the hidden fields of a form.)
 
> If you want something more secure, you'd have to compile htsearch again,
> setting a different DEFAULT_CONFIG_DIR, which would prevent the other
> htsearch form entering that directory.

I see.

> But as a side note, remember that if all of this is using HTTP instead of
> HTTPS, a simple snooping attack will grab your passwords.

Right. But all connections to the internal database are from the local network, which restricts the set of possible attackers.

------------------------------------
To unsubscribe from the htdig mailing list, send a message to
htdig-unsubscribe@htdig.org
You will receive a message to confirm this.
List archives: <http://www.htdig.org/mail/menu.html>
FAQ: <http://www.htdig.org/FAQ.html>



This archive was generated by hypermail 2b28 : Wed Oct 25 2000 - 08:38:13 PDT