From: Geoff H. <ghu...@ws...> - 2002-10-31 00:50:57
|
On Wed, 30 Oct 2002, Gilles Detillieux wrote: > I believe /etc/htdig.conf is what Red Hat's RPM of htdig uses. More sane > packages would use /etc/htdig/htdig.conf, recognizing that you can have > more than one config file in CONFIG_DIR, accessible by htsearch, so it > doesn't make sense to set CONFIG_DIR to /etc. Actually, come to think of it, this is a potential security problem--since htsearch is tied to CONFIG_DIR, you could try to get htsearch to read other files in /etc. Now, it may not be easily exploitable, but on a RH 8.0 setup, I see lots of *.conf files, some of which I wouldn't want a CGI to attempt to read. I'll try to think about how nasty that could get, but it certainly seems a much safer idea to stick to /etc/htdig or some other non-important directory! -- -Geoff Hutchison Williams Students Online http://wso.williams.edu/ |
From: Gilles D. <gr...@sc...> - 2002-11-05 21:46:28
|
According to Geoff Hutchison: > On Wed, 30 Oct 2002, Gilles Detillieux wrote: > > I believe /etc/htdig.conf is what Red Hat's RPM of htdig uses. More sane > > packages would use /etc/htdig/htdig.conf, recognizing that you can have > > more than one config file in CONFIG_DIR, accessible by htsearch, so it > > doesn't make sense to set CONFIG_DIR to /etc. > > Actually, come to think of it, this is a potential security problem--since > htsearch is tied to CONFIG_DIR, you could try to get htsearch to read > other files in /etc. Now, it may not be easily exploitable, but on a RH > 8.0 setup, I see lots of *.conf files, some of which I wouldn't want a CGI > to attempt to read. > > I'll try to think about how nasty that could get, but it certainly seems a > much safer idea to stick to /etc/htdig or some other non-important > directory! Absolutely. Red Hat seems to be blissfully unaware that the htsearch binary in their htdig-web package can read ANY *.conf file anywhere under /etc because of their choice of setting CONFIG_DIR to /etc. They really should be using a subdirectory under /etc for ht://Dig's exclusive use. Several months ago, I browsed through all *.conf files directly in /etc on my Red Hat 7.2 system (without also checking all subdirectories which htsearch could access), and I didn't see anything there that htsearch would actually be able to parse. So I think the actual, current threat isn't as great as the potential seems to be. However, that could easily change as other *.conf files are added to /etc, if any of these use a format more like htsearch's. -- Gilles R. Detillieux E-mail: <gr...@sc...> Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/ Dept. Physiology, U. of Manitoba Winnipeg, MB R3E 3J7 (Canada) |