[ic] "SOLVED" RE: search problem on any table

Peter peter at pajamian.dhs.org
Wed Oct 5 19:17:37 UTC 2011

On 06/10/11 04:59, IC Support wrote:
> I'm running IC 5.6.3,

5.6.3 is new enough to contain the the fixes for the security
vulnerability.  It has AllowRemoteSearch (positive list of tables) as
well as NoSearch (negative list).  If either one of them don't pass then
the search is denied.

> I don't sell products, this is a member directory, all
> search pages are members only, members must be a part of each organizations
> cat, there is no way to create a new account by the general public,

A vulnerability that only a member can exploit is still a vulnerability.

> accounts
> for members are created in advance by an admin, and I have this in
> catalog.cfg:
> AllowRemoteSearch reunion news photos userdb
> After Peter sent this reply, I made some changes and I can search all db's
> except userdb at this point, without unsetting the NoSearch directive on
> those searches.

You really want to be able to search everything except UserDB?

> Adding this to catalog.cfg did not seem to do anything:
> NoSearch state country

It should, unless you are explicitly changing it on the page itself.

> I had to add the NoSearch directive to my userdb search pages. I have
> several saved emails from Mike Heins and others proclaiming that, while it
> may not be the best idea, it is the way to do it.

Well, this depends.  If you just explicitly unset those tables that you
need to search it is fine, but I don't recommend clearing it out
completely, not on a page that displays results to the public anyways.

> I only have a few tables that I am not searching. Am I really gaining
> anything by adding this to catalog.cfg?
> NoSearch state country

I hope you have more tables that you're not searching than that.  An
attacker probably won't care about the state and country tables.


More information about the interchange-users mailing list