Re: [htdig] Search engine for private page


Subject: Re: [htdig] Search engine for private page
From: Gilles Detillieux (grdetil@scrc.umanitoba.ca)
Date: Thu Oct 26 2000 - 09:54:19 PDT


According to Stephane Bortzmeyer:
> On Wednesday 25 October 2000, at 11 h 12, the keyboard of Geoff Hutchison
> <ghutchis@wso.williams.edu> wrote:
> > > As I understand it, there is no real security here: anyone can setup a
> > > form in a Web page which will call htsearch (not htsearch.pr) and this
> > > htsearch will be able to read the configuration file for the private
> > > database?
> >
> > No, not really. But the form would be protected by password too, right?
>
> *My* form but anybody on the Net can write a similar form, just using htsearch
> and not htsearch.pr as its action. (It is a very common attack against Web
> servers whose only protection is in the hidden fields of a form.)
>
> > If you want something more secure, you'd have to compile htsearch again,
> > setting a different DEFAULT_CONFIG_DIR, which would prevent the other
> > htsearch form entering that directory.

Using a symbolic link to htsearch doesn't secure anything because
the link to the binary won't change the the CONFIG_DIR setting that
the binary uses, so you're still relying on keeping the config file
name secret. If you don't want to compile two htsearch binaries with
different CONFIG_DIR settings, you can use a simple wrapper script for the
secure htsearch.pr, which sets the CONFIG_DIR environment variable to the
secure configuration directory. This environment variable overrides the
compiled-in setting specified by the make-file variable of the same name.

> > But as a side note, remember that if all of this is using HTTP instead of
> > HTTPS, a simple snooping attack will grab your passwords.
>
> Right. But all connections to the internal database are from the local network, which restricts the set of possible attackers.

Yes, this snooping attack is not as easily carried out as the many means of
figuring out or guessing a "secret" config file name. Basic authentication
isn't great security, but it's better than nothing.

I'll try to get around to adding an FAQ entry about this.

-- 
Gilles R. Detillieux              E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this. List archives: <http://www.htdig.org/mail/menu.html> FAQ: <http://www.htdig.org/FAQ.html>



This archive was generated by hypermail 2b28 : Thu Oct 26 2000 - 10:00:17 PDT