[ic] "SOLVED" RE: search problem on any table

IC Support ic_support at mnwebdesign.com
Wed Oct 5 15:59:06 UTC 2011


On Tuesday, October 04, 2011 7:41 PM Peter said:

> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org 
> [mailto:interchange-users-bounces at icdevgroup.org] On Behalf Of Peter
> Sent: Tuesday, October 04, 2011 7:41 PM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] "SOLVED" RE: search problem on any table
> 
> On 05/10/11 12:10, IC Support wrote:
> > Just to follow up, I did end up figuring out I needed to add the 
> > NoSearch directive to my search pages.
> > 
> > [calc]
> > 	    $CGI->{mv_todo} = 'search';
> > 	    $Config->{NoSearch} = '';
> > [/calc]
> 
> This is not a good idea, I (or someone with worse intentions 
> than me) can now create a specially crafted search query to 
> get data out of your userdb, transactions, orderline, access, 
> tables and more.  You should specify the NoSedarch directive 
> once in your catalog.cfg and list every table that you do not 
> anticipate a search running on, or better yet upgrade to a 
> more recent version of IC that has much better limitations on 
> search to prevent this.

I'm running IC 5.6.3, I don't sell products, this is a member directory, all
search pages are members only, members must be a part of each organizations
cat, there is no way to create a new account by the general public, accounts
for members are created in advance by an admin, and I have this in
catalog.cfg:

AllowRemoteSearch reunion news photos userdb

After Peter sent this reply, I made some changes and I can search all db's
except userdb at this point, without unsetting the NoSearch directive on
those searches.

Adding this to catalog.cfg did not seem to do anything:
NoSearch state country

I had to add the NoSearch directive to my userdb search pages. I have
several saved emails from Mike Heins and others proclaiming that, while it
may not be the best idea, it is the way to do it.

I only have a few tables that I am not searching. Am I really gaining
anything by adding this to catalog.cfg?

NoSearch state country


Thank you!

Curt




More information about the interchange-users mailing list