Hi-ho, A big thanks to those folks on the list who had a look a our opac earlier in the day and gave feedback..
We're the first customer of NCS's (The vendor of the Library package, and authors of the shocking HTML) to put the system online, so to speak. Currently we only use it 'for real' in our libraries on locked down win98 machines. I'll sift through the comments mailed to me tomorrow, and forward them onto NCS to get the issues resolved. In the short term I'm not worried about the minor HTML bits, but the blank screen is a worry! Also, thanks to all of you for not finding the two glaring security problems. Hence I've taken the box offline for the moment (blocked the squid accelerator's access to the internal server) to get them fixed. A note or two for anyone else using a vendors programs 'online': - When the vendor says "There are no problems with the cgi or parameter exploits" double your efforts to check the system.. I managed to cat the /etc/passwd file to the browser, from home, no inside knowledge required. Bummer, and I don't consider myself to be a great 'hacker' if I can use that term. - Make sure the vendor knows what they are doing with Apache. Sure the opac directory and web structure was secure, but the other virtual hosts (in-house web lookup functionality for rates etc) had 'indexes' enabled in the <directory> sections of the apache config, and there are sym-links from the opac to some of the code directories in other virtual hosts for shared libraries.. Duh. - Assume that the vendor doesn't know the first thing about secure web sites or cgi, and work from there. - Be _VERY_ afraid when you discover that some of the cgi stuff is actually shell scripts.. ARHG! Only found out that one this evening. Again, thanks to the folks who passed comments back, I'll let you know when we've had the HTML problems fixed and open it up again. Oh, and the security flaws re-carpeted.. :-). 'ave a good evening, Chris H.
