forwarding this to -users because i am having a little bit of lag and
mistyped the address the first time :P
Have a look at my answer on cocoon-dev : http://marc.theaimsgroup.com/?l=xml-cocoon-dev&m=104823479001495&w=2
Sylvain
---------- Forwarded message ---------- Date: Thu, 20 Mar 2003 16:14:31 -0500 (EST) From: Tony Collen <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: cocoon-view as possible security problem?
Browsing the livesites, on a whim I tried this URL:
http://dir.salon.com/?cocoon-view=content
and it worked! Obviously someone deploying Cocoon should be aware that this view is "on" by default, and may reveal data in your page you might not want. I have yet to see "bad" data get exposed, but there's always the possibility.
Do we want the views turned off by default, and have a message in the sitemap about enabling the views? Would it make more sense to have thename of the "cocoon-view" parameter be able to be changed via configuration? Say I wanted the parameter to be my-view instead of cocoon-view. Security through obscurity?
Tony
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Sylvain Wallez Anyware Technologies http://www.apache.org/~sylvain http://www.anyware-tech.com { XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
