hi,
imho i've found a vulnerability in zope 2.10.4 or rather in the newer
version of five (1.5.5) used by it. in `Five/browser/
pagetemplatefile.py` in line 27 `createTrustedZopeEngine` is used the
instantiate the page template engine used by five templates, or at
least this is what i
On Sun, 2001-09-23 at 17:00, Andy McKay wrote:
[snip]
Haven't we been complaining about this automatic appending of
tracebacks for
a while? To me this is what log files are for but Im not sure what this
guy is on. I wouldnt count this as a security vulnerability.
Hmm. It's 'side-band'
PROTECTED]
Sent: Sunday, September 23, 2001 10:44 AM
Subject: Re: [Zope-dev] Vulnerability in Zope
Do others consider this a vulnerability?
Yup... especially given the hard-coded (sigh) error page returned for
authentication error gives out this information :-(
Chris
seb bacon wrote:
* Andy McKay [EMAIL PROTECTED] [010924 01:11]:
Haven't we been complaining about this automatic appending of tracebacks for
a while? To me this is what log files are for but Im not sure what this
guy is on. I wouldnt count this as a security vulnerability.
It's
Found vulnerability: retrieve a full path to local files in Zope.
---[ Example 1 (Linux):
telnet www.zope.org 80
PROPFIND / HTTP/1.0
F
G
H
J
K
L
HTTP/1.0 500 Internal Server Error
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Mon, 10 Sep 2001 15:38:59 GMT
Do others consider this a vulnerability? While it reveals more
information than people might want, I'm curious about scenarios under
which it could be exploited.
If any of you know of something *specific*, meaning it's a genuinely
exploitable vulnerability, please email me or Brian Lloyd
On Sun, Sep 23, 2001 at 10:36:33AM -0400, Paul Everitt wrote:
Do others consider this a vulnerability? While it reveals more
information than people might want, I'm curious about scenarios under
which it could be exploited.
If any of you know of something *specific*, meaning it's a
Do others consider this a vulnerability?
Yup... especially given the hard-coded (sigh) error page returned for
authentication error gives out this information :-(
Chris
___
Zope-Dev maillist - [EMAIL PROTECTED]
Everitt [EMAIL PROTECTED]; ALife [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, September 23, 2001 10:44 AM
Subject: Re: [Zope-dev] Vulnerability in Zope
Do others consider this a vulnerability?
Yup... especially given the hard-coded (sigh) error page returned for
authentication error gives