Hello Torsten,
On 04-Sep-00 05:41:02, you wrote:
>> application: PHP interface to ht://Dig 2000.09.03
>> author: Manuel Lemos <[EMAIL PROTECTED]>
>> license: freely distributable
>> category: Web/Development
>>
>> homepage: http://freshmeat.net/redir/homepage/968017154/
>> download: http://freshmeat.net/redir/download/968017154/
>At first glance, I would say that there is a possible security hole
>in this class since the htsearch parameters are not shell-escapes.
>This could allow the execution of arbitrary commands.
I'm not sure how that may happen because the search words, eventually
passed as submitted form values, are URLEncoded and then passed to htsearch
in the QUERY_STRING environment variable. I wonder if URLEncoding would
not prevent all possible attacks.
Regards,
Manuel Lemos
Web Programming Components using PHP Classes.
Look at: http://phpclasses.UpperDesign.com/?[EMAIL PROTECTED]
--
E-mail: [EMAIL PROTECTED]
URL: http://www.mlemos.e-na.net/
PGP key: http://www.mlemos.e-na.net/ManuelLemos.pgp
--
------------------------------------
To unsubscribe from the htdig mailing list, send a message to
[EMAIL PROTECTED]
You will receive a message to confirm this.
List archives: <http://www.htdig.org/mail/menu.html>
FAQ: <http://www.htdig.org/FAQ.html>
