Hi all,
I started designing the new website for a company that uses the GL and noticied that virtually ANY query will be handled. I visited some other sites and they all have same problem: if you search for "a" (single letter) you basically get the whole database, no protection at all. This means you can get the full database of links with any wget or LWP script!
Is there a way to prevent this besides modifying search.cgi?
As a temporary solution I did the following (just in case someone is also concerned):
use lib '/var/www/yoursite/cgi-bin/admin';
use Links qw/$CFG/;
use Links::User::Search;
my %in;
&getvars;
my $entra = $in{'query'};
if (($entra) && length($entra) < 3 ){
print("Location: http://www.yoursite.com\n\n");
}
else {
local $SIG{__DIE__} = \&Links::fatal;
Links::init('/var/www/yoursite/cgi-bin/admin');
Links::init_user();
if (GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'check_request', \&Links::check_request)) {
GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'handle_search', \&Links::User::Search::handle);
}
}
sub getvars {
if ($ENV{QUERY_STRING}) {
for (split /\&/, $ENV{QUERY_STRING}) {
my($key, $val) = split /=/;
$val =~ s/%([0-9a-fA-F]{2})/chr(hex($1))/ge;
$val =~ s/[^\w_-]//g;
$in{$key} = $val;
}
}
}
Yep I entered stop_words and checked Search.pm for 3 minimum but GL just ignore them!
Another way to get ALL LINKS from a site: search for "http:". You get it all.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Blondies can have brains (sometimes...)
I started designing the new website for a company that uses the GL and noticied that virtually ANY query will be handled. I visited some other sites and they all have same problem: if you search for "a" (single letter) you basically get the whole database, no protection at all. This means you can get the full database of links with any wget or LWP script!
Is there a way to prevent this besides modifying search.cgi?
As a temporary solution I did the following (just in case someone is also concerned):
Code:
use strict; use lib '/var/www/yoursite/cgi-bin/admin';
use Links qw/$CFG/;
use Links::User::Search;
my %in;
&getvars;
my $entra = $in{'query'};
if (($entra) && length($entra) < 3 ){
print("Location: http://www.yoursite.com\n\n");
}
else {
local $SIG{__DIE__} = \&Links::fatal;
Links::init('/var/www/yoursite/cgi-bin/admin');
Links::init_user();
if (GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'check_request', \&Links::check_request)) {
GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'handle_search', \&Links::User::Search::handle);
}
}
sub getvars {
if ($ENV{QUERY_STRING}) {
for (split /\&/, $ENV{QUERY_STRING}) {
my($key, $val) = split /=/;
$val =~ s/%([0-9a-fA-F]{2})/chr(hex($1))/ge;
$val =~ s/[^\w_-]//g;
$in{$key} = $val;
}
}
}
Yep I entered stop_words and checked Search.pm for 3 minimum but GL just ignore them!
Another way to get ALL LINKS from a site: search for "http:". You get it all.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Blondies can have brains (sometimes...)
Search results. Bug?