According to Stephane Bortzmeyer:
> On Wednesday 25 October 2000, at 11 h 12, the keyboard of Geoff Hutchison
> <[EMAIL PROTECTED]> wrote:
> > > As I understand it, there is no real security here: anyone can setup a
> > > form in a Web page which will call htsearch (not htsearch.pr) and this
> > > htsearch will be able to read the configuration file for the private
> > > database?
> >
> > No, not really. But the form would be protected by password too, right?
>
> *My* form but anybody on the Net can write a similar form, just using htsearch
> and not htsearch.pr as its action. (It is a very common attack against Web
> servers whose only protection is in the hidden fields of a form.)
>
> > If you want something more secure, you'd have to compile htsearch again,
> > setting a different DEFAULT_CONFIG_DIR, which would prevent the other
> > htsearch form entering that directory.
Using a symbolic link to htsearch doesn't secure anything because
the link to the binary won't change the the CONFIG_DIR setting that
the binary uses, so you're still relying on keeping the config file
name secret. If you don't want to compile two htsearch binaries with
different CONFIG_DIR settings, you can use a simple wrapper script for the
secure htsearch.pr, which sets the CONFIG_DIR environment variable to the
secure configuration directory. This environment variable overrides the
compiled-in setting specified by the make-file variable of the same name.
> > But as a side note, remember that if all of this is using HTTP instead of
> > HTTPS, a simple snooping attack will grab your passwords.
>
> Right. But all connections to the internal database are from the local network,
>which restricts the set of possible attackers.
Yes, this snooping attack is not as easily carried out as the many means of
figuring out or guessing a "secret" config file name. Basic authentication
isn't great security, but it's better than nothing.
I'll try to get around to adding an FAQ entry about this.
--
Gilles R. Detillieux E-mail: <[EMAIL PROTECTED]>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba Phone: (204)789-3766
Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930
------------------------------------
To unsubscribe from the htdig mailing list, send a message to
[EMAIL PROTECTED]
You will receive a message to confirm this.
List archives: <http://www.htdig.org/mail/menu.html>
FAQ: <http://www.htdig.org/FAQ.html>
