On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
Vulnerability: attacking can get file list and directory
Tested on Win32 platform
Example:
telnet zopeserver 8080
PROPFIND / HTTP/1.0
enter
enter
enter
list files and directory
This tested on my
On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
Vulnerability: attacking can get file list and directory
Tested on Win32 platform
Example:
telnet zopeserver 8080
PROPFIND / HTTP/1.0
enter
enter
enter
list files and directory
This tested on my
Shane Hathaway wrote:
[...]
PDV just yields information you might give out anyway. But maybe we
could deal with it anyway by writing an error.log instead of sending
the traceback to the browser. What do you think?
I think it's fine, but only if specified on the z2.py cmdline or other
On Mon, Sep 24, 2001 at 10:59:11AM -0400, Shane Hathaway wrote:
Oliver Bleutgen wrote:
From a non-technical, PR-wise point of view let me add that
this type of vulnerability easily gets zope mentioned on lists
like bugtraq. The perception is that these thing really are
vulnerabilities.
Shane Hathaway wrote:
PDV just yields information you might give out anyway. But maybe we
could deal with it anyway by writing an error.log instead of sending
the traceback to the browser. What do you think?
Well, how about just changing the brain-dead way standard_error_message works?
From: Chris Withers [EMAIL PROTECTED]
The traceback should _not_ be _appended_ to the error message. If an app
developer chooses to show it, then fine they can as they do already (mine
sends
me an error email ;-), but why should it be appended in all circumstances
Be careful of that -- I
marc lindahl wrote:
Be careful of that -- I recently got *flooded* with error emails from a
recent bout of the Code Red worm looking for files that weren't on my server
:(
Yup, had that too... I patched BaseRequest.py to not bitch ;-)
Mindyou I surpassed myself with a similar thing with a
Hi shane,
Oliver Bleutgen wrote:
From a non-technical, PR-wise point of view let me add that
this type of vulnerability easily gets zope mentioned on lists
like bugtraq. The perception is that these thing really are
vulnerabilities.
You're right, a quick search on google for path
On Monday 24 September 2001 10:59 am, Shane Hathaway allegedly wrote:
[snip]
PDV just yields information you might give out anyway. But maybe we
could deal with it anyway by writing an error.log instead of sending
the traceback to the browser. What do you think?
Shane
My suggestion would
?
Anyway, that's my 3-mile high take on it...
Sean
-Original Message-
From: Shane Hathaway [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 7:59 AM
To: Oliver Bleutgen
Cc: [EMAIL PROTECTED]
Subject: Re: [Zope-dev] Vulnerability: attacking can get file list and
directory
Oliver
Why not use logrotate, similarly to how you handle the Apache
logs? Or set a cron job to clear the logs, if you don't like logrotate...
[EMAIL PROTECTED] writes:
On a high-traffic site, wouldn't the log get really big, really quickly with
tracebacks? It is also nice to have
To: [EMAIL PROTECTED]
Subject: Re: [Zope-dev] Vulnerability: attacking can get file list and
directory
Hi shane,
Oliver Bleutgen wrote:
From a non-technical, PR-wise point of view let me add that
this type of vulnerability easily gets zope mentioned on lists
like bugtraq. The perception
Vulnerability: attacking can get file list and directory
Tested on Win32 platform
Example:
telnet zopeserver 8080
PROPFIND / HTTP/1.0
enter
enter
enter
list files and directory
This tested on my site:
security.instock.ru 8080
___
Zope-Dev
Vulnerability: attacking can get file list and directory
Tested on Win32 platform
Example:
telnet zopeserver 8080
PROPFIND / HTTP/1.0
enter
enter
enter
list files and directory
This tested on my site:
security.instock.ru 8080
This one really seems to be the old WebDAV is not
14 matches
Mail list logo