Re: [Zope] IIS and Zope share same problem :-S
Pierre-Julien Grizel wrote: Hum... A possible way to solve this problem is to practice the "you can't do ANYTHING but..." policy... And, thus, according proxy roles to the methods that must access it, such as index_html. I know it's constraining but with a little work we can end up with something quite secure secret. It's not secret, you can still use /objectIds and /objectValues to find out about things... Secure, yes it is that. But, it's a lot more than a little work. What I was suggesting was something to do the grunt work of all this with the same outcome. oh well... Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] IIS and Zope share same problem :-S
Chris Withers wrote: Andrew Kenneth Milton wrote: | | http://www.zope.org/standard_html_header for example ;-) Not that old chestnut again... Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally do something to solve it. ...and yes, there are discussions about this on Zope-dev right now, which will hopefully produce a solution :-) cheers, As soon as you can tell us how to get Zope to go executing _files_ on the server (read, in the filesystem), as opposed to objects in the site I might accept it as the same bug. :^)= Then-again,-I-might-_use_-that-capability-if-I-could-ly y'rs Bill -- E PLURIBUS LINUX ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] IIS and Zope share same problem :-S
On Fri, 20 Oct 2000, Chris Withers wrote: Andrew Kenneth Milton wrote: | http://www.zope.org/standard_html_header for example ;-) Not that old chestnut again... Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally do something to solve it. ...and yes, there are discussions about this on Zope-dev right now, wwhich will hopefully produce a solution :-) Now, I may be missing the point of the fine grained access control of ZOPE, but knowing an objects ID is not at all the same as being able to access it, or even invoke it correctly. The MS bug "allows access to any file on the webserver". Whilst in ZOPE you may be able to enter the URL and invoke the object to some degree, unless you have the permissions to do whatever it does, what harm can you do? To me, this seems like more of a "patch by sensible admin" problem than a security hole. cheers, Chris Have a better one, Curtis Maloney. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] IIS and Zope share same problem :-S
MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE by Dave Murphy, [EMAIL PROTECTED] Microsoft is scrambling to repair damage caused by a security hole in its IIS 4 5 webserver that runs on Windows NT/2000. Microsoft claims over four million IIS websites, and each one of them is at risk of releasing sensitive data through the security hole. Called the "Web Server Folder Traversal" error, the flaw allows users to execute files on an IIS website by requesting a specific web address. http://www.zope.org/standard_html_header for example ;-) http://www.zope.org/objectIds as another... The bug allows access to any file on the webserver via a specified URL. Like all webservers, IIS is supposed to prevent access to files that aren't intended to be part of the website. Maybe Zope should too This article is posted to http://itrain.org/itinfo/2000/it001017.html Live well, do good, --Dave Murphy cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] IIS and Zope share same problem :-S
+---[ Chris Withers ]-- | MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE | by Dave Murphy, [EMAIL PROTECTED] | | Microsoft is scrambling to repair damage caused by a | security hole in its IIS 4 5 webserver that runs on | Windows NT/2000. Microsoft claims over four million | IIS websites, and each one of them is at risk of | releasing sensitive data through the security hole. | Called the "Web Server Folder Traversal" error, the | flaw allows users to execute files on an IIS website by | requesting a specific web address. | | http://www.zope.org/standard_html_header for example ;-) Not that old chestnut again... | http://www.zope.org/objectIds as another... To be fair this is not the same as the bug described below. | | The bug allows access to any file on the webserver via | a specified URL. Like all webservers, IIS is supposed | to prevent access to files that aren't intended to be | part of the website. Knowing the file is there is not the same as accessing it. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068|[EMAIL PROTECTED]| ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] IIS and Zope share same problem :-S
Hum... A possible way to solve this problem is to practice the "you can't do ANYTHING but..." policy... And, thus, according proxy roles to the methods that must access it, such as index_html. I know it's constraining but with a little work we can end up with something quite secure secret. P.-J. Chris Withers wrote: MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE by Dave Murphy, [EMAIL PROTECTED] Microsoft is scrambling to repair damage caused by a security hole in its IIS 4 5 webserver that runs on Windows NT/2000. Microsoft claims over four million IIS websites, and each one of them is at risk of releasing sensitive data through the security hole. Called the "Web Server Folder Traversal" error, the flaw allows users to execute files on an IIS website by requesting a specific web address. http://www.zope.org/standard_html_header for example ;-) http://www.zope.org/objectIds as another... The bug allows access to any file on the webserver via a specified URL. Like all webservers, IIS is supposed to prevent access to files that aren't intended to be part of the website. Maybe Zope should too This article is posted to http://itrain.org/itinfo/2000/it001017.html Live well, do good, --Dave Murphy cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) -- If the only tool you have is a hammer, you tend to see every problem as a nail. Si le seul outil dont vous disposez est un marteau, vous avez tendance à voir chaque problème comme un clou. --Abraham Maslow ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] IIS and Zope share same problem :-S
As I already suggested ages ;) ago (and still didn't put into practice) it would here again be best to deny everything that isn't explicitly allowed (e.g. allow whatever ends with _html or .html and deny everything else) but then I would have to go over the whole website and make bazillions of changes ... I fixed the problem temporarily by adding some "FilesMatch/LocationMatch + deny from all" in my httpd.conf. But what else do I have to deny apart from objectIds? Ragnar Andrew Kenneth Milton wrote: | | http://www.zope.org/standard_html_header for example ;-) Not that old chestnut again... Yes, that old chestnut again. If it's considered a serious security flaw by Microsoft, maybe the Zope community should finally do something to solve it. ...and yes, there are discussions about this on Zope-dev right now, which will hopefully produce a solution :-) cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
