Re: [Zope-dev] Virtual Host Monster Paranoia
From: "Chris Withers" <[EMAIL PROTECTED]> > Well, it's easy enough to find out if a site is running Zope, then this becomes > pretty easy attack to think of I'm not going to claim that this is perfectly harmless, but I can't think of any way in which this could be termed an "attack". You can already provide any traversal path you like in the URL; All VHM adds is the ability to manipulate generated URLs, and in fairly crude ways. These URLs come back to your browser in a page, where they have no more potential for harm than if you'd assembled them by hand. The only scenario I can imagine where this could even affect the operation of a site is one where the site uses URLs internally in some fashion. This is part of the reason that Zope has shifted from using URLs to paths when addressing objects, since paths are unaffected by URL manipulation. Cheers, Evan @ digicool & 4-am ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Virtual Host Monster Paranoia
> Then again, there's the advantage of having something > included as a standard part of Zope. Yes, thats true. I would like to see this being rolled into the standard zope (and there is a Collector entry saying that), although I think its unlikely given the 'competition' from VHM. Having said that, a big patch is worse than a small patch. And http://www.zope.org/Members/htrd/howto/host-server is a really tiny patch ;-) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Virtual Host Monster Paranoia
Toby Dickenson wrote: > > No, but they can get to: > > http://www.simpledomain.com/blah/VirtualHost/bad.stuff/blah > > which gets rewritten to: > > >http://zopehost.foo.com/VirtualHost/http/www.simpledomain/blah/VirtualHost/bad.stuff/blah If VHM doesn't do it already, patch it so that it rejects URLs with more than one VirtualHost part. > Understanding its behaviour behaviour might be beyond the complexity > threshold for a paranoid admin to be comfortable. Then again, there's the advantage of having something included as a standard part of Zope. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Virtual Host Monster Paranoia
Toby Dickenson wrote: > > >http://zopehost.foo.com/VirtualHost/http/www.simpledomain/blah/VirtualHost/bad.stuff/blah > > Understanding its behaviour behaviour might be beyond the complexity > threshold for a paranoid admin to be comfortable. Well, it's easy enough to find out if a site is running Zope, then this becomes pretty easy attack to think of (like objectIds, objectItems and ObjectValues used to be, they're great fun for poking your nose into other people's Zope sites and finding stuff you shouldn't ;-) cheers, Chris (the paranoid one ;-) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Virtual Host Monster Paranoia
On Tue, 13 Feb 2001 10:30:26 + (GMT), Matt Hamilton <[EMAIL PROTECTED]> wrote: >I use them in conjunction with Apache's mod_proxy to rewrite >http://www.simpledomain.com to the long >http://zopehost.foo.com/blah/blah/VirtualHostMonstser/blah/blah. The Zope >host is behind a firewall, so anonymouse users cannot get to it directly. No, but they can get to: http://www.simpledomain.com/blah/VirtualHost/bad.stuff/blah which gets rewritten to: http://zopehost.foo.com/VirtualHost/http/www.simpledomain/blah/VirtualHost/bad.stuff/blah Understanding its behaviour behaviour might be beyond the complexity threshold for a paranoid admin to be comfortable. Toby Dickenson [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Virtual Host Monster Paranoia
Matt Hamilton wrote: > > I use them in conjunction with Apache's mod_proxy to rewrite > http://www.simpledomain.com to the long > http://zopehost.foo.com/blah/blah/VirtualHostMonstser/blah/blah. Okay, try going to this URL: http://www.simpledomain.com/VirtualHostBase/http/www.arse.com/VirtualHostRoot/ cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Virtual Host Monster Paranoia
On Tue, 13 Feb 2001 10:24:54 +, Chris Withers <[EMAIL PROTECTED]> wrote: >I really like the idea of these things but I am concerned about something that >allows anonymous users to futz with traversal. > >Can someone put my fears to rest that using these won't let anonymous users do >bad things to my sites? I didnt realize V-H-M was coming in 2.3.0, and developed an alternative that fills a similar niche: http://www.zope.org/Members/htrd/howto/host-server This option has fewer 'moving parts' than anything based on SiteAccess (which I still feel uncomfortable with, sorry evan) Toby Dickenson [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Virtual Host Monster Paranoia
On Tue, 13 Feb 2001, Chris Withers wrote: > Right, > > I really like the idea of these things but I am concerned about something that > allows anonymous users to futz with traversal. > > Can someone put my fears to rest that using these won't let anonymous users do > bad things to my sites? I use them in conjunction with Apache's mod_proxy to rewrite http://www.simpledomain.com to the long http://zopehost.foo.com/blah/blah/VirtualHostMonstser/blah/blah. The Zope host is behind a firewall, so anonymouse users cannot get to it directly. -Matt -- Matt Hamilton [EMAIL PROTECTED] Netsight Internet Solutions, Ltd. Business Vision on the Internet http://www.netsight.co.uk +44 (0)117 9090901 Web Hosting | Web Design | Domain Names | Co-location | DB Integration ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Virtual Host Monster Paranoia
Right, I really like the idea of these things but I am concerned about something that allows anonymous users to futz with traversal. Can someone put my fears to rest that using these won't let anonymous users do bad things to my sites? cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )