Hello Torsten,
On 04-Sep-00 06:12:33, you wrote:
>> >> application: PHP interface to ht://Dig 2000.09.03
>> >> author: Manuel Lemos <[EMAIL PROTECTED]>
>> >> license: freely distributable
>> >> category: Web/Development
>> >>
>> >> homepage: http://freshmeat.net/redir/homepage/968017154/
>> >> download: http://freshmeat.net/redir/download/968017154/
>>
>> >At first glance, I would say that there is a possible security hole
>> >in this class since the htsearch parameters are not shell-escapes.
>> >This could allow the execution of arbitrary commands.
>>
>> I'm not sure how that may happen because the search words, eventually
>> passed as submitted form values, are URLEncoded and then passed to htsearch
>> in the QUERY_STRING environment variable. I wonder if URLEncoding would
>> not prevent all possible attacks.
>Hmm.. I think it will prevent most possible attacks, but not all.
>One reason for this is, that shell-escaping is platform dependant and
>therefore
>must be handled differently on different OS platforms by the scripting
>engine
>whereas URLencoding is not platform dependant.
I guess you are right. I may add shell escaping, but now I'm not sure
what should be escaped. I have something like:
Exec("QUERY_STRING=\"words=".UrlEncode($text)."\" /usr/local/htdig/cgi-bin/htsearch ");
I wonder if just escaping the result or UrlEncode call would do. What do you think?
Regards,
Manuel Lemos
Web Programming Components using PHP Classes.
Look at: http://phpclasses.UpperDesign.com/?[EMAIL PROTECTED]
--
E-mail: [EMAIL PROTECTED]
URL: http://www.mlemos.e-na.net/
PGP key: http://www.mlemos.e-na.net/ManuelLemos.pgp
--
------------------------------------
To unsubscribe from the htdig mailing list, send a message to
[EMAIL PROTECTED]
You will receive a message to confirm this.
List archives: <http://www.htdig.org/mail/menu.html>
FAQ: <http://www.htdig.org/FAQ.html>
