Re: [Zope-dev] Vulnerability: attacking can get file list and directory
> Vulnerability: attacking can get file list and directory > Tested on Win32 platform > > Example: > telnet zopeserver 8080 > PROPFIND / HTTP/1.0 > > > > > < list files and directory > > > This tested on my site: > security.instock.ru 8080 This one really seems to be the old "WebDAV is not safe" one. I guess it has been tackled already. You should be able to switch the file listing off for the Anonymous User in Zope 2.4.1 ... Joachim ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New: Cross Site Scripting vulnerability
> Example: > > http://www.zope.org/Documentation/alert(document.domain) > http://www.zope.org/lalalalalalert(document.domain) > http://www.zope.org/alert(document.cookie) > > For example, an attacker might post a message like > > Hello message board. This is a message. >malicious code > This is the end of my message. > > When a victim with scripts enabled in their browser reads this > message, the malicious code may be executed unexpectedly. > Scripting tags that can be embedded in this way include
Re: [Zope-dev] DISCUSS: Community checkins for CVS
> I imagine that the group will decide rules on peer reviewing. For > comparison, the Mozilla group has very elaborate rules for checkins, > while Python has pretty much an innocent until proven guilty culture. > (That is, you check something in, and if somebody complains, it gets > removed.) > I don't think it is worthwhile trying to form these rules a priori. That's fine. I just wanted to put it onto the agenda ... > > We need rules like "NO FIXES BETWEEN FINAL BETA AND RELEASE" (Absolutely no > > fixes I mean) -- and those rules should apply to everybody. > Again, we'll let the rules come out of the group. For instance, what if > an Emacs #foo.py# accidentally got checked in? Would you really require > another beta release for that? Betas are a cost incurred by hundreds of > people around the world. My personal opinion is that, apart from the version number, a final beta should be exactly the same as the actual release. Accidentally checked-in stuff can cause accidents. So there is some reason for a careful release policy. But in your specific case, if the "final" beta that should lead to a release has been actually released (and tagged in the CVS), how should somebody be able to check something into it afterwards? That could only happen if there are problems with the CVS configuration and usage I guess ... > Ahh, the "it's the Wiki's fault" argument. I just checked the zip > mailing list archive. 9 messages since Aug 1st. So neither email nor > Wiki are good choices. Can you point to an example of a process that > worked better for designing APIs? I don't blame the Wiki in general. Wikis (together with mailing lists) are a good start. Sometimes we'd just need real meetings on real conferences I guess ... Joachim ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability in Zope
Haven't we been complaining about this automatic appending of tracebacks for a while? To me this is what log files are for but Im not sure what this guy is on. I wouldnt count this as a "security vulnerability". - Original Message - From: "Chris Withers" <[EMAIL PROTECTED]> To: "Paul Everitt" <[EMAIL PROTECTED]>; "ALife" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, September 23, 2001 10:44 AM Subject: Re: [Zope-dev] Vulnerability in Zope > > Do others consider this a vulnerability? > > Yup... especially given the hard-coded (sigh) error page returned for > authentication error gives out this information :-( > > Chris > > > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New: Cross Site Scripting vulnerability
What does this have to do with Zope? Its down to an individual application. - Original Message - From: "ALife" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, September 23, 2001 10:23 AM Subject: [Zope-dev] New: Cross Site Scripting vulnerability > > Example: > > http://www.zope.org/Documentation/alert(document.domain) > http://www.zope.org/lalalalalalert(document.domain) > http://www.zope.org/alert(document.cookie) > > For example, an attacker might post a message like > > Hello message board. This is a message. >malicious code > This is the end of my message. > > When a victim with scripts enabled in their browser reads this > message, the malicious code may be executed unexpectedly. > Scripting tags that can be embedded in this way include
Re: [Zope-dev] New: Cross Site Scripting vulnerability
Aargh, I sent that first to [EMAIL PROTECTED] ... >> Hello message board. This is a message. >>malicious code >> This is the end of my message. > I don't really see your point other than a carelessly implemented app may > expose these kind of vulnerabilities. Python (and hence Zope) has a > library > for stripping out this sort of malicious HTML. > Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this > can be used. umm chris, you're right, but this example http://www.zope.org/Documentation/alert(document.domain) executes the script. I don't exactly see why/where but I feel this really shouldn't happen. As I see it, it's more a problem of zope's standard_error page, which constructs links to the classic zope site. I don't see a zope-specific bug here, too. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DISCUSS: Community checkins for CVS
Joachim Werner wrote: [snip] > What I haven't found on the CVS site yet is anything about peer-reviewing > contributions before they go into the main tree. While I sometimes have the > feeling that there are fixes from ZC people that should NOT have made it > into a release, there are many patches from the community that are not > getting into a release for a long time (this is not a very scientific > statement, just my personal feeling). I imagine that the group will decide rules on peer reviewing. For comparison, the Mozilla group has very elaborate rules for checkins, while Python has pretty much an innocent until proven guilty culture. (That is, you check something in, and if somebody complains, it gets removed.) I don't think it is worthwhile trying to form these rules a priori. > We need rules like "NO FIXES BETWEEN FINAL BETA AND RELEASE" (Absolutely no > fixes I mean) -- and those rules should apply to everybody. Again, we'll let the rules come out of the group. For instance, what if an Emacs #foo.py# accidentally got checked in? Would you really require another beta release for that? Betas are a cost incurred by hundreds of people around the world. I think the group can do their best to adhere to a policy of doing beta cycles for minor changes. > We maybe also need an improved process for designing new API extensions etc. > One case for that is the Zope Internationalization Project > (http://www.eurozope.org/zip/FrontPage), which better sooner than later > should become a core project. I have the feeling that with the current Wiki > approach it will take ages to agree on a syntax for internationalization in Ahh, the "it's the Wiki's fault" argument. I just checked the zip mailing list archive. 9 messages since Aug 1st. So neither email nor Wiki are good choices. Can you point to an example of a process that worked better for designing APIs? As for internationalization, I'm hoping that EuroZope (or ZIP) will recommend a strategy. I'm on the EuroZope list as well, and from what I can tell, there's still a ways to go before consensus is reached. Let's start a discussion over on EuroZope or ZIP and see if consensus can be reached. > Zope. I don't mean that we need a single implementation. But we need an > agreed-on syntax that is part of the standard Zope package, so that a ZPT or > DTML Method will not break if it uses translation tags. Yes, that's needed quite badly. But I don't think this has to be done before we open the CVS to external contributors. --Paul ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Vulnerability: attacking can get file list and directory
Vulnerability: attacking can get file list and directory Tested on Win32 platform Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 < list files and directory > This tested on my site: security.instock.ru 8080 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New: Cross Site Scripting vulnerability
> Hello message board. This is a message. >malicious code > This is the end of my message. I don't really see your point other than a carelessly implemented app may expose these kind of vulnerabilities. Python (and hence Zope) has a library for stripping out this sort of malicious HTML. Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this can be used. cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability in Zope
> Do others consider this a vulnerability? Yup... especially given the hard-coded (sigh) error page returned for authentication error gives out this information :-( Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] New: Cross Site Scripting vulnerability
Example: http://www.zope.org/Documentation/alert(document.domain) http://www.zope.org/lalalalalalert(document.domain) http://www.zope.org/alert(document.cookie) For example, an attacker might post a message like Hello message board. This is a message. malicious code This is the end of my message. When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include
Re: [Zope-dev] Vulnerability in Zope
On Sun, Sep 23, 2001 at 10:36:33AM -0400, Paul Everitt wrote: > > Do others consider this a vulnerability? While it reveals more > information than people might want, I'm curious about scenarios under > which it could be exploited. > > If any of you know of something *specific*, meaning it's a genuinely > exploitable vulnerability, please email me or Brian Lloyd > ([EMAIL PROTECTED]) directly, rather than explain to the world how to do it. > ... > ... > > Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Think about social engeniering. Knowing this sort of things, while this is not a vulnerability in itself, allows everybody to remotely know were Data.fs is. bye, Jerome Alet ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] questions about writing a DA
I just took a look at ODBC Socket Server, which I had never seen before. Pretty interesting! Here's some comments. 1) It looks like socket server opens a new socket for processing every request. In this respect, it goes against one of the benefits of database adapters, which keep a persistent connection. 2) Architecturally, socket server is very similar to web services. See the fishbowl proposal at dev.zope.org for more info. Thus, the approach that Zope would do for web services might have some similarity to what you'd like to do. Alternatively, take a look at the adapter for Ultraseek search engine at http://www.zope.org/Members/brianh/UltraseekDA. It gives a model that might be useful to you. 3) Zope's approach of having separate objects that handle database connections provide the benefit that regular objects can't just fire up socket connections. You want a model that helps prevent all of Zope's threads from being stuck waiting on responses to socket requests. 4) SQL Methods provide some useful and important machinery for your socket server approach. First, I think you want site developers to think your thing is exactly the same as a regular SQL Method. Also: - You likely want to keep the arguments list approach, to prevent people from inserting malicious data into the SQL requests. - Even more than with current database adapters, you want to retain the caching feature in SQL Methods. - Shoving the results into the Recordset code is something you might want to keep. - Etc. Good luck, this looks like a useful project! --Paul StevenLee wrote: > hi,all > > I have got several questions here,and maybe you can give me some advice. > > What I am trying to do is write a product which can communicate with ODBC Socket >Server, > a win32 server application that allow applications to have access to Data Sources >managed by Windows ODBC > DataSource Administrator. And now a class written in python can communicate with >ODBC Socket Server. > BTW,the class mentioned above handles the connection to the server,sending SQL >statement,and Receiving results. > > As far as I know, in Zope,to access Data Sources,one must create a Database >connection and > ZSQLMethods associated with it to get the results. (but I have doubt about this, > IMHO,there must be some other way to do so,but what is it.). > > Now,I am rather confused about how to solve the problem. > First,is what I need to write a DA? or just a common product? > Second,if it's a DA, how can I use the existing class? I have read the article named >"how to write a DA" in the how-tos,but it is quite abstract to me. > Third,where can I find more about the DataBase Connection and ZSQLMethod ? >especially on how they work together to access databases. > > OK,I am not sure whether I have made me understood, in fact,I am not quite clear >myself. if you have any questions about that,I will reply ASAP. > > thanks for your great patience,I will be grateful if you can give me some advice. > thank you! > > Best Wishes > > yours sincerely > Steven Lee > f? > >?j)e?Y+?m?^8.??+-???:)y?6?+(7))(7)l1.?r??^?^vX?+-?:)z???f?X?)?q+-?:)z???f?X?)??pe== > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability in Zope
Do others consider this a vulnerability? While it reveals more information than people might want, I'm curious about scenarios under which it could be exploited. If any of you know of something *specific*, meaning it's a genuinely exploitable vulnerability, please email me or Brian Lloyd ([EMAIL PROTECTED]) directly, rather than explain to the world how to do it. --Paul ALife wrote: > Found vulnerability: retrieve a full path to local files in Zope. > > ---[ Example 1 (Linux): > > telnet www.zope.org 80 > > PROPFIND / HTTP/1.0 > > F > G > H > J > K > L > HTTP/1.0 500 Internal Server Error > Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 > Date: Mon, 10 Sep 2001 15:38:59 GMT > Content-Length: 7058 > Ms-Author-Via: DAV > Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property > Sheets.py > Bobo-Exception-Type: TypeError > Content-Length: 7058 > Ms-Author-Via: DAV > Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property > Sheets.py > Bobo-Exception-Type: TypeError > Content-Type: text/html > Bobo-Exception-Value: EN" "http://www.w3.org/TR/REC-html40/loose.dtd";> Welcome > to Zope.org http://www.zope.org/zope_css"; > type="text/css"> Bobo-Exception-Line: 369 > > > ... > > > > Host has closed connection. > > ---[ Example 2 (Linux): > telnet www.zope.com 80 > > / HTTP/1.0 > or NOTREALCOMMAND / HTTP/1.0 > > > HTTP/1.0 404 Not Found > Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 > Date: Fri, 21 Sep 2001 12:51:48 GMT > Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H > TTPResponse.py > Content-Type: text/html > Bobo-Exception-Type: NotFound > Bobo-Exception-Value: EN" "http://www.w3.org/TR/REC-html40/loose.dtd";> Welcome > to Zope.org http://www.zope.org/zope_css"; > type="text/css"> Content-Length: 5845 > Bobo-Exception-Line: 547 > > < ... > > > > Host has closed connection. > > > ---[ Example 3 (Win32): > > OPTIONS / HTTP/1.0 > or NOTREALCOMMAND / HTTP/1.0 > > HTTP/1.0 404 Not Found > Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServer/1.1b1 > Date: Mon, 10 Sep 2001 15:06:43 GMT > Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py > Bobo-Exception-Type: Not Found > Content-Type: text/html > Location: http://SERVERNAME > Bobo-Exception-Value: bobo exception > Content-Length: 756 > Bobo-Exception-Line: 122 > > :: > > Îøèáêà! > Î > øèáêà ïðè ïîïûòêå îïóáëèêîâàòü ðåñóðñ. > > > > Host has closed connection. > > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Vulnerability in Zope
Found vulnerability: retrieve a full path to local files in Zope. ---[ Example 1 (Linux): telnet www.zope.org 80 PROPFIND / HTTP/1.0 F G H J K L HTTP/1.0 500 Internal Server Error Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:38:59 GMT Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Type: text/html Bobo-Exception-Value: http://www.w3.org/TR/REC-html40/loose.dtd";> Welcome to Zope.org http://www.zope.org/zope_css"; type="text/css"> Host has closed connection. ---[ Example 2 (Linux): telnet www.zope.com 80 / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0 HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Fri, 21 Sep 2001 12:51:48 GMT Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H TTPResponse.py Content-Type: text/html Bobo-Exception-Type: NotFound Bobo-Exception-Value: http://www.w3.org/TR/REC-html40/loose.dtd";> Welcome to Zope.org http://www.zope.org/zope_css"; type="text/css"> Host has closed connection. ---[ Example 3 (Win32): OPTIONS / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0 HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:06:43 GMT Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py Bobo-Exception-Type: Not Found Content-Type: text/html Location: http://SERVERNAME Bobo-Exception-Value: bobo exception Content-Length: 756 Bobo-Exception-Line: 122 :: Îøèáêà! Î øèáêà ïðè ïîïûòêå îïóáëèêîâàòü ðåñóðñ. Host has closed connection. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] questions about writing a DA
hi,all I have got several questions here,and maybe you can give me some advice. What I am trying to do is write a product which can communicate with ODBC Socket Server, a win32 server application that allow applications to have access to Data Sources managed by Windows ODBC DataSource Administrator. And now a class written in python can communicate with ODBC Socket Server. BTW,the class mentioned above handles the connection to the server,sending SQL statement,and Receiving results. As far as I know, in Zope,to access Data Sources,one must create a Database connection and ZSQLMethods associated with it to get the results. (but I have doubt about this, IMHO,there must be some other way to do so,but what is it.). Now,I am rather confused about how to solve the problem. First,is what I need to write a DA? or just a common product? Second,if it's a DA, how can I use the existing class? I have read the article named "how to write a DA" in the how-tos,but it is quite abstract to me. Third,where can I find more about the DataBase Connection and ZSQLMethod ? especially on how they work together to access databases. OK,I am not sure whether I have made me understood, in fact,I am not quite clear myself. if you have any questions about that,I will reply ASAP. thanks for your great patience,I will be grateful if you can give me some advice. thank you! Best Wishes yours sincerely Steven Lee f^ ëæj)eËY¢züè¥ê+m§ÿåËlÎ^¢¸?¨¥©ÿ+-wèÿ:)yׯ6+¢Ë)¢Ël¢±Ó0·§rb^«^vX¬¶Èm¶ÿ+-³:)zàþf¢f§þX¬¶)ߣüè¥æ§§qèm¶ÿ+-³:)zàþf¢f§þX¬¶)ߣüè¥