According to Geoff Hutchison: > On Wed, 30 Oct 2002, Gilles Detillieux wrote: > > I believe /etc/htdig.conf is what Red Hat's RPM of htdig uses. More sane > > packages would use /etc/htdig/htdig.conf, recognizing that you can have > > more than one config file in CONFIG_DIR, accessible by htsearch, so it > > doesn't make sense to set CONFIG_DIR to /etc. > > Actually, come to think of it, this is a potential security problem--since > htsearch is tied to CONFIG_DIR, you could try to get htsearch to read > other files in /etc. Now, it may not be easily exploitable, but on a RH > 8.0 setup, I see lots of *.conf files, some of which I wouldn't want a CGI > to attempt to read. > > I'll try to think about how nasty that could get, but it certainly seems a > much safer idea to stick to /etc/htdig or some other non-important > directory!
Absolutely. Red Hat seems to be blissfully unaware that the htsearch binary in their htdig-web package can read ANY *.conf file anywhere under /etc because of their choice of setting CONFIG_DIR to /etc. They really should be using a subdirectory under /etc for ht://Dig's exclusive use. Several months ago, I browsed through all *.conf files directly in /etc on my Red Hat 7.2 system (without also checking all subdirectories which htsearch could access), and I didn't see anything there that htsearch would actually be able to parse. So I think the actual, current threat isn't as great as the potential seems to be. However, that could easily change as other *.conf files are added to /etc, if any of these use a format more like htsearch's. -- Gilles R. Detillieux E-mail: <[EMAIL PROTECTED]> Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/ Dept. Physiology, U. of Manitoba Winnipeg, MB R3E 3J7 (Canada) ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ htdig-general mailing list <[EMAIL PROTECTED]> To unsubscribe, send a message to <[EMAIL PROTECTED]> with a subject of unsubscribe FAQ: http://htdig.sourceforge.net/FAQ.html
