In any case, I'd like to get a patch (and perhaps 3.1.6) out relatively soon.
At 3:36 PM -0500 9/6/01, Gilles Detillieux wrote:
>variables like LD_LIBRARY_PATH? The way I see it, if you can hack a CGI
>program's environment from a web client, then it's pretty near impossible
>to write a safe CGI program.
No, no. It's a two-fold attack. With shell access you change the
environment and then the CGI is remotely vulnerable. Granted, I'm not
sure how you do the attack--I sent a message to bugtraq asking if
there were pointers (and outlined this discussion in general about
CGIs).
>a local user hacks CONFIG_DIR, so what? He can find a convoluted way
>of reading a local file that he could directly view with cat, more,
>less, vi, etc. I don't see a hole there.
Keep in mind that a user doesn't have access to everything. If you
can hijack a CGI, you might be able to read webserver config files,
logs, etc. that could be unreadable to you. Yes, it'd be hard to
>See http://www.htdig.org/FAQ.html#q4.20
Hmm. Maybe.
>So, why are we supposed to use tweezers to fix a known and fairly obvious
>hole, and a sledgehammer to fix a more obscure one?
I'm not clear on why removing code involves a tweezers in one hand
and a sledgehammer in another.
>But if we're going to go to such extremes, I think we need something more
>solid to base it on than a vague concern that the environment variables
>might get hacked, i.e. a plausible scenario of how one might do just that.
Look, it's a fine point. Personally, I'd much rather not have such
explicit trust in an environment variable. Your points about
LD_LIBRARY_PATH and so on are good, but I'll just say that if we
leave CONFIG_DIR in there, I'm going to patch it on my copies. Call
it paranoia if you like.
-Geoff
_______________________________________________
htdig-dev mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/htdig-dev
