Skip to main content.
home | support | download

Back to List Archive

Re: Insecure Indexing

From: David L Norris <dave(at)not-real.webaugur.com>
Date: Tue Mar 01 2005 - 19:13:48 GMT
On Mon, 2005-02-28 at 17:29 -0800, Bill Moseley wrote: 
>You slashdot readers have seen this article:
>
>  http://www.webappsec.org/articles/022805-plain.html

Seems like a pretty decent article.  Glad you forwarded it since I don't
read Slashdot.  ;-)

>which is about how if you index the file system (instead of indexing
>via a spider) then you might make files available that are not
>available via the web.  Hopefully, this is obvious.

One could call that either a massive security hole or a feature.  Seems
like I recall a conversation or two on this list where indexing files
not available via the web was a desirable feature.

What I think would be nice is a Perl filesystem indexer which is aware
of permissions.  Should be easy to implement a comprehensive filesystem
indexer using DirTree.pl as a base.  That would be my preference rather
than adding ever-increasing hacks to Swish-e itself.

-- 
 David Norris
  http://www.webaugur.com/dave/
  ICQ - 412039
Received on Tue Mar 1 11:13:48 2005