[Zope-dev] vulnerability in zope 2.10.4

2007-07-11 Thread Andreas Zeidler
hi, imho i've found a vulnerability in zope 2.10.4 or rather in the newer version of five (1.5.5) used by it. in `Five/browser/ pagetemplatefile.py` in line 27 `createTrustedZopeEngine` is used the instantiate the page template engine used by five templates, or at least this is what i

Re: [Zope-dev] Vulnerability in Zope

2001-09-25 Thread Michael R. Bernstein
On Sun, 2001-09-23 at 17:00, Andy McKay wrote: [snip] Haven't we been complaining about this automatic appending of tracebacks for a while? To me this is what log files are for but Im not sure what this guy is on. I wouldnt count this as a security vulnerability. Hmm. It's 'side-band'

Re: [Zope-dev] Vulnerability in Zope

2001-09-24 Thread seb bacon
PROTECTED] Sent: Sunday, September 23, 2001 10:44 AM Subject: Re: [Zope-dev] Vulnerability in Zope Do others consider this a vulnerability? Yup... especially given the hard-coded (sigh) error page returned for authentication error gives out this information :-( Chris

Re: [Zope-dev] Vulnerability in Zope

2001-09-24 Thread Chris Withers
seb bacon wrote: * Andy McKay [EMAIL PROTECTED] [010924 01:11]: Haven't we been complaining about this automatic appending of tracebacks for a while? To me this is what log files are for but Im not sure what this guy is on. I wouldnt count this as a security vulnerability. It's

[Zope-dev] Vulnerability in Zope

2001-09-23 Thread ALife
Found vulnerability: retrieve a full path to local files in Zope. ---[ Example 1 (Linux): telnet www.zope.org 80 PROPFIND / HTTP/1.0 F G H J K L HTTP/1.0 500 Internal Server Error Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:38:59 GMT

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Paul Everitt
Do others consider this a vulnerability? While it reveals more information than people might want, I'm curious about scenarios under which it could be exploited. If any of you know of something *specific*, meaning it's a genuinely exploitable vulnerability, please email me or Brian Lloyd

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Jerome Alet
On Sun, Sep 23, 2001 at 10:36:33AM -0400, Paul Everitt wrote: Do others consider this a vulnerability? While it reveals more information than people might want, I'm curious about scenarios under which it could be exploited. If any of you know of something *specific*, meaning it's a

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Chris Withers
Do others consider this a vulnerability? Yup... especially given the hard-coded (sigh) error page returned for authentication error gives out this information :-( Chris ___ Zope-Dev maillist - [EMAIL PROTECTED]

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Andy McKay
Everitt [EMAIL PROTECTED]; ALife [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, September 23, 2001 10:44 AM Subject: Re: [Zope-dev] Vulnerability in Zope Do others consider this a vulnerability? Yup... especially given the hard-coded (sigh) error page returned for authentication error gives