Skip to main content.
home | support | download

Back to List Archive

Re: Insecure Indexing

From: Michael Peters <mpeters(at)>
Date: Tue Mar 01 2005 - 19:55:10 GMT
David L Norris wrote:
> On Tue, 2005-03-01 at 14:19 -0500, Michael Peters wrote:
>>You mean an indexer that was aware of the web server's permissions? 
>>Which one? Apache, IIS, Websphere, etc? Web servers can ber configured 
>>in such convoluted ways that it would be difficult to just parse a conf 
>>file, not to mention custom auth handlers like one would right under 
>>mod_perl, and forget being able to use cookies to check if someone is 
>>'logged in'.
> Well, that's exactly the argument I'm making.  It's unreasonably complex
> to implement the convoluted logic required for an arbitrary number of
> web servers.  Rather than trying to make Swish-e understand 100
> different web servers I think it would be better to implement that in a
> specialized "-S prog" method script.

I still don't understand how this specialized "-S prog" would work? A 
file-level search will *never* be able to respect the access controls 
for the web server because for any moderately complex webserver. You 
couldn't even look at a file's path and guarantee that you could figure 
out the URL for any given file. These decisions are made at request time.

Michael Peters
Plus Three, LP
Received on Tue Mar 1 11:55:11 2005