Re: [htdig] security hole (was: how to set the $(PERCENT)? -it always show 1%)


Subject: Re: [htdig] security hole (was: how to set the $(PERCENT)? -it always show 1%)
From: Gilles Detillieux (grdetil@scrc.umanitoba.ca)
Date: Fri Jan 12 2001 - 14:44:49 PST


According to Edward Lu:
> Geoff,
> What is the security hole in version 3.1.5?
> It sounds scary.

The security hole is in version BEFORE 3.1.5, and is fixed in 3.1.5. It
allowed a user to snoop through any file on your web server's file system,
as long as it was readable by the user ID under which the web server process
runs, just by passing it a special query string in the htsearch URL.

-- 
Gilles R. Detillieux              E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this. List archives: <http://www.htdig.org/mail/menu.html> FAQ: <http://www.htdig.org/FAQ.html>



This archive was generated by hypermail 2b28 : Fri Jan 12 2001 - 14:58:54 PST