On Wednesday 25 October 2000, at 11 h 12, the keyboard of Geoff Hutchison
<[EMAIL PROTECTED]> wrote:
> > As I understand it, there is no real security here: anyone can setup a
> > form in a Web page which will call htsearch (not htsearch.pr) and this
> > htsearch will be able to read the configuration file for the private
> > database?
>
> No, not really. But the form would be protected by password too, right?
*My* form but anybody on the Net can write a similar form, just using htsearch
and not htsearch.pr as its action. (It is a very common attack against Web
servers whose only protection is in the hidden fields of a form.)
> If you want something more secure, you'd have to compile htsearch again,
> setting a different DEFAULT_CONFIG_DIR, which would prevent the other
> htsearch form entering that directory.
I see.
> But as a side note, remember that if all of this is using HTTP instead of
> HTTPS, a simple snooping attack will grab your passwords.
Right. But all connections to the internal database are from the local network, which
restricts the set of possible attackers.
------------------------------------
To unsubscribe from the htdig mailing list, send a message to
[EMAIL PROTECTED]
You will receive a message to confirm this.
List archives: <http://www.htdig.org/mail/menu.html>
FAQ: <http://www.htdig.org/FAQ.html>
