Re: [Zope-dev] Vulnerability: attacking can get file list and directory

2001-09-23 Thread Joachim Werner 


> Vulnerability: attacking can get file list and directory
> Tested on Win32 platform
>
> Example:
> telnet zopeserver 8080
> PROPFIND / HTTP/1.0
> 
> 
> 
>
> < list files and directory >
>
> This tested on my site:
> security.instock.ru 8080

This one really seems to be the old "WebDAV is not safe" one. I guess it has
been tackled already. You should be able to switch the file listing off for
the Anonymous User in Zope 2.4.1 ...

Joachim


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread Martijn Pieters 

> Example:
>
> http://www.zope.org/Documentation/alert(document.domain)
> http://www.zope.org/lalalalalalert(document.domain)
> http://www.zope.org/alert(document.cookie)
>
> For  example, an attacker might post a message like
>
> Hello message board. This is a message.
>malicious code
> This is the end of my message.
>
> When a victim with scripts enabled  in their  browser reads this
> message,  the  malicious  code   may  be  executed   unexpectedly.
> Scripting tags that can be embedded in this way include

Re: [Zope-dev] DISCUSS: Community checkins for CVS

2001-09-23 Thread Joachim Werner 

> I imagine that the group will decide rules on peer reviewing.  For
> comparison, the Mozilla group has very elaborate rules for checkins,
> while Python has pretty much an innocent until proven guilty culture.
> (That is, you check something in, and if somebody complains, it gets
> removed.)

> I don't think it is worthwhile trying to form these rules a priori.

That's fine. I just wanted to put it onto the agenda ...

> > We need rules like "NO FIXES BETWEEN FINAL BETA AND RELEASE" (Absolutely
no
> > fixes I mean) -- and those rules should apply to everybody.

> Again, we'll let the rules come out of the group.  For instance, what if
> an Emacs #foo.py# accidentally got checked in?  Would you really require
> another beta release for that?  Betas are a cost incurred by hundreds of
> people around the world.

My personal opinion is that, apart from the version number, a final beta
should be exactly the same as the actual release. Accidentally checked-in
stuff can cause accidents. So there is some reason for a careful release
policy.

But in your specific case, if the "final" beta that should lead to a release
has been actually released (and tagged in the CVS), how should somebody be
able to check something into it afterwards? That could only happen if there
are problems with the CVS configuration and usage I guess ...

> Ahh, the "it's the Wiki's fault" argument.  I just checked the zip
> mailing list archive.  9 messages since Aug 1st.  So neither email nor
> Wiki are good choices.  Can you point to an example of a process that
> worked better for designing APIs?

I don't blame the Wiki in general. Wikis (together with mailing lists) are a
good start. Sometimes we'd just need real meetings on real conferences I
guess ...

Joachim


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Andy McKay 

Haven't we been complaining about this automatic appending of tracebacks for
a while? To me this is what log files are for but Im not sure what this
guy is on. I wouldnt count this as a "security vulnerability".

- Original Message -
From: "Chris Withers" <[EMAIL PROTECTED]>
To: "Paul Everitt" <[EMAIL PROTECTED]>; "ALife" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, September 23, 2001 10:44 AM
Subject: Re: [Zope-dev] Vulnerability in Zope


> > Do others consider this a vulnerability?
>
> Yup... especially given the hard-coded (sigh) error page returned for
> authentication error gives out this information :-(
>
> Chris
>
>
>
> ___
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
>



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread Andy McKay 

What does this have to do with Zope? Its down to an individual application.

- Original Message - 
From: "ALife" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, September 23, 2001 10:23 AM
Subject: [Zope-dev] New: Cross Site Scripting vulnerability


> 
> Example:
> 
> http://www.zope.org/Documentation/alert(document.domain)
> http://www.zope.org/lalalalalalert(document.domain)
> http://www.zope.org/alert(document.cookie)
> 
> For  example, an attacker might post a message like
> 
> Hello message board. This is a message.
>malicious code
> This is the end of my message.
> 
> When a victim with scripts enabled  in their  browser reads this
> message,  the  malicious  code   may  be  executed   unexpectedly.
> Scripting tags that can be embedded in this way include

Re: [Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread Oliver Bleutgen 

Aargh, 
I sent that first to [EMAIL PROTECTED] ...

>> Hello message board. This is a message.
>>malicious code
>> This is the end of my message.

> I don't really see your point other than a carelessly implemented app may
> expose these kind of vulnerabilities. Python (and hence Zope) has a
> library
> for stripping out this sort of malicious HTML.

> Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this
> can be used.

umm chris,

you're right, but this example

http://www.zope.org/Documentation/alert(document.domain)

executes the script. I don't exactly see why/where but I feel 
this really shouldn't happen. As I see it, it's more a problem 
of zope's standard_error page, which constructs links to the 
classic zope site. I don't see a zope-specific bug here, too.

cheers,
oliver



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DISCUSS: Community checkins for CVS

2001-09-23 Thread Paul Everitt 

Joachim Werner wrote:
[snip]

> What I haven't found on the CVS site yet is anything about peer-reviewing
> contributions before they go into the main tree. While I sometimes have the
> feeling that there are fixes from ZC people that should NOT have made it
> into a release, there are many patches from the community that are not
> getting into a release for a long time (this is not a very scientific
> statement, just my personal feeling).


I imagine that the group will decide rules on peer reviewing.  For 
comparison, the Mozilla group has very elaborate rules for checkins, 
while Python has pretty much an innocent until proven guilty culture. 
(That is, you check something in, and if somebody complains, it gets 
removed.)

I don't think it is worthwhile trying to form these rules a priori.


> We need rules like "NO FIXES BETWEEN FINAL BETA AND RELEASE" (Absolutely no
> fixes I mean) -- and those rules should apply to everybody.


Again, we'll let the rules come out of the group.  For instance, what if 
an Emacs #foo.py# accidentally got checked in?  Would you really require 
another beta release for that?  Betas are a cost incurred by hundreds of 
people around the world.

I think the group can do their best to adhere to a policy of doing beta 
cycles for minor changes.


> We maybe also need an improved process for designing new API extensions etc.
> One case for that is the Zope Internationalization Project
> (http://www.eurozope.org/zip/FrontPage), which better sooner than later
> should become a core project. I have the feeling that with the current Wiki
> approach it will take ages to agree on a syntax for internationalization in


Ahh, the "it's the Wiki's fault" argument.  I just checked the zip 
mailing list archive.  9 messages since Aug 1st.  So neither email nor 
Wiki are good choices.  Can you point to an example of a process that 
worked better for designing APIs?

As for internationalization, I'm hoping that EuroZope (or ZIP) will 
recommend a strategy.  I'm on the EuroZope list as well, and from what I 
can tell, there's still a ways to go before consensus is reached.  Let's 
start a discussion over on EuroZope or ZIP and see if consensus can be 
reached.

> Zope. I don't mean that we need a single implementation. But we need an
> agreed-on syntax that is part of the standard Zope package, so that a ZPT or
> DTML Method will not break if it uses translation tags.

Yes, that's needed quite badly.  But I don't think this has to be done 
before we open the CVS to external contributors.

--Paul


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Vulnerability: attacking can get file list and directory

2001-09-23 Thread ALife 

Vulnerability: attacking can get file list and directory
Tested on Win32 platform

Example:
telnet zopeserver 8080
PROPFIND / HTTP/1.0




< list files and directory >

This tested on my site:
security.instock.ru 8080


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread Chris Withers 

> Hello message board. This is a message.
>malicious code
> This is the end of my message.

I don't really see your point other than a carelessly implemented app may
expose these kind of vulnerabilities. Python (and hence Zope) has a library
for stripping out this sort of malicious HTML.

Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this
can be used.

cheers,

Chris


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Chris Withers 

> Do others consider this a vulnerability?

Yup... especially given the hard-coded (sigh) error page returned for
authentication error gives out this information :-(

Chris



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] New: Cross Site Scripting vulnerability

2001-09-23 Thread ALife 


Example:

http://www.zope.org/Documentation/alert(document.domain)
http://www.zope.org/lalalalalalert(document.domain)
http://www.zope.org/alert(document.cookie)

For  example, an attacker might post a message like

Hello message board. This is a message.
   malicious code
This is the end of my message.

When a victim with scripts enabled  in their  browser reads this
message,  the  malicious  code   may  be  executed   unexpectedly.
Scripting tags that can be embedded in this way include

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Jerome Alet 

On Sun, Sep 23, 2001 at 10:36:33AM -0400, Paul Everitt wrote:
> 
> Do others consider this a vulnerability?  While it reveals more 
> information than people might want, I'm curious about scenarios under 
> which it could be exploited.
> 
> If any of you know of something *specific*, meaning it's a genuinely 
> exploitable vulnerability, please email me or Brian Lloyd 
> ([EMAIL PROTECTED]) directly, rather than explain to the world how to do it.
> ...
> ...
> > Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property

Think about social engeniering.
Knowing this sort of things, while this is not a vulnerability in itself,
allows everybody to remotely know were Data.fs is.

bye,

Jerome Alet


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] questions about writing a DA

2001-09-23 Thread Paul Everitt 


I just took a look at ODBC Socket Server, which I had never seen before. 
  Pretty interesting!  Here's some comments.

1) It looks like socket server opens a new socket for processing every 
request.  In this respect, it goes against one of the benefits of 
database adapters, which keep a persistent connection.

2) Architecturally, socket server is very similar to web services.  See 
the fishbowl proposal at dev.zope.org for more info.  Thus, the approach 
that Zope would do for web services might have some similarity to what 
you'd like to do.  Alternatively, take a look at the adapter for 
Ultraseek search engine at 
http://www.zope.org/Members/brianh/UltraseekDA.  It gives a model that 
might be useful to you.

3) Zope's approach of having separate objects that handle database 
connections provide the benefit that regular objects can't just fire up 
socket connections.  You want a model that helps prevent all of Zope's 
threads from being stuck waiting on responses to socket requests.

4) SQL Methods provide some useful and important machinery for your 
socket server approach.  First, I think you want site developers to 
think your thing is exactly the same as a regular SQL Method.  Also:

   - You likely want to keep the arguments list approach, to
   prevent people from inserting malicious data into the SQL requests.

   - Even more than with current database adapters, you want to
   retain the caching feature in SQL Methods.

   - Shoving the results into the Recordset code is something
   you might want to keep.

   - Etc.

Good luck, this looks like a useful project!

--Paul

StevenLee wrote:

> hi,all
> 
> I have got several questions here,and maybe you can give me some advice.
> 
> What I am trying to do  is write a product which can communicate with ODBC Socket 
>Server,
> a win32 server application that allow applications to have access to Data Sources 
>managed by Windows ODBC 
> DataSource Administrator. And now a class written in python can communicate with 
>ODBC Socket Server.
> BTW,the class mentioned above  handles the connection to the server,sending SQL 
>statement,and Receiving results.
> 
> As far as I know, in Zope,to access Data Sources,one must create a Database 
>connection and  
> ZSQLMethods associated with it to get the results. (but I have doubt about this,
> IMHO,there must be some other way to do so,but what is it.).
> 
> Now,I am rather confused about how to solve the problem. 
> First,is what I need to write a DA? or just a common product?
> Second,if it's a DA, how can I use the existing class? I have read the article named 
>"how to write a DA" in the how-tos,but it is quite abstract to me. 
> Third,where can I find more about the DataBase Connection and ZSQLMethod ? 
>especially on how they work together to access databases.
> 
> OK,I am not sure whether I have made me understood, in fact,I am not quite clear 
>myself. if you have any questions about that,I will reply ASAP.
> 
> thanks for your great patience,I will be grateful if you can give me some advice.
> thank you!
> 
> Best Wishes
> 
> yours sincerely
> Steven Lee  
> f?
> 
>?j)e?Y+?m?^8.??+-???:)y?6?+(7))(7)l1.?r??^?^vX?+-?:)z???f?X?)?q+-?:)z???f?X?)??pe==
> 




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Paul Everitt 


Do others consider this a vulnerability?  While it reveals more 
information than people might want, I'm curious about scenarios under 
which it could be exploited.

If any of you know of something *specific*, meaning it's a genuinely 
exploitable vulnerability, please email me or Brian Lloyd 
([EMAIL PROTECTED]) directly, rather than explain to the world how to do it.

--Paul

ALife wrote:

> Found vulnerability: retrieve a full path to local files in Zope.
> 
> ---[ Example 1 (Linux):
> 
> telnet www.zope.org 80
> 
> PROPFIND / HTTP/1.0
> 
> F
> G
> H
> J
> K
> L
> HTTP/1.0 500 Internal Server Error
> Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
> Date: Mon, 10 Sep 2001 15:38:59 GMT
> Content-Length: 7058
> Ms-Author-Via: DAV
> Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
> Sheets.py
> Bobo-Exception-Type: TypeError
> Content-Length: 7058
> Ms-Author-Via: DAV
> Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
> Sheets.py
> Bobo-Exception-Type: TypeError
> Content-Type: text/html
> Bobo-Exception-Value:  EN" "http://www.w3.org/TR/REC-html40/loose.dtd";> Welcome
> to Zope.org   http://www.zope.org/zope_css";
>  type="text/css">   Bobo-Exception-Line: 369
> 
> 
> ...
> 
> 
>  
> Host has closed connection.
> 
> ---[ Example 2 (Linux):
> telnet www.zope.com 80
> 
>  / HTTP/1.0
> or NOTREALCOMMAND / HTTP/1.0
> 
> 
> HTTP/1.0 404 Not Found
> Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
> Date: Fri, 21 Sep 2001 12:51:48 GMT
> Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H
> TTPResponse.py
> Content-Type: text/html
> Bobo-Exception-Type: NotFound
> Bobo-Exception-Value:  EN" "http://www.w3.org/TR/REC-html40/loose.dtd";> Welcome
> to Zope.org   http://www.zope.org/zope_css";
>  type="text/css">   Content-Length: 5845
> Bobo-Exception-Line: 547
> 
> < ... >
> 
>  
> Host has closed connection.
> 
> 
> ---[ Example 3 (Win32):
> 
> OPTIONS / HTTP/1.0
> or NOTREALCOMMAND / HTTP/1.0
> 
> HTTP/1.0 404 Not Found
> Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServer/1.1b1
> Date: Mon, 10 Sep 2001 15:06:43 GMT
> Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py
> Bobo-Exception-Type: Not Found
> Content-Type: text/html
> Location: http://SERVERNAME
> Bobo-Exception-Value: bobo exception
> Content-Length: 756
> Bobo-Exception-Line: 122
> 
> ::
> 
> Îøèáêà!
> Î
> øèáêà ïðè ïîïûòêå îïóáëèêîâàòü ðåñóðñ.
>   
>   
> 
> Host has closed connection.
> 
> 
> ___
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
> 




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Vulnerability in Zope

2001-09-23 Thread ALife 

Found vulnerability: retrieve a full path to local files in Zope.

---[ Example 1 (Linux):

telnet www.zope.org 80

PROPFIND / HTTP/1.0

F
G
H
J
K
L
HTTP/1.0 500 Internal Server Error
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Mon, 10 Sep 2001 15:38:59 GMT
Content-Length: 7058
Ms-Author-Via: DAV
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
Sheets.py
Bobo-Exception-Type: TypeError
Content-Length: 7058
Ms-Author-Via: DAV
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
Sheets.py
Bobo-Exception-Type: TypeError
Content-Type: text/html
Bobo-Exception-Value: http://www.w3.org/TR/REC-html40/loose.dtd";> Welcome
to Zope.org   http://www.zope.org/zope_css";
 type="text/css">  
Host has closed connection.

---[ Example 2 (Linux):
telnet www.zope.com 80

 / HTTP/1.0
or NOTREALCOMMAND / HTTP/1.0


HTTP/1.0 404 Not Found
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Fri, 21 Sep 2001 12:51:48 GMT
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H
TTPResponse.py
Content-Type: text/html
Bobo-Exception-Type: NotFound
Bobo-Exception-Value: http://www.w3.org/TR/REC-html40/loose.dtd";> Welcome
to Zope.org   http://www.zope.org/zope_css";
 type="text/css">  

 
Host has closed connection.


---[ Example 3 (Win32):

OPTIONS / HTTP/1.0
or NOTREALCOMMAND / HTTP/1.0

HTTP/1.0 404 Not Found
Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServer/1.1b1
Date: Mon, 10 Sep 2001 15:06:43 GMT
Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py
Bobo-Exception-Type: Not Found
Content-Type: text/html
Location: http://SERVERNAME
Bobo-Exception-Value: bobo exception
Content-Length: 756
Bobo-Exception-Line: 122

::

Îøèáêà!
Î
øèáêà ïðè ïîïûòêå îïóáëèêîâàòü ðåñóðñ.
  
  

Host has closed connection.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] questions about writing a DA

2001-09-23 Thread StevenLee 

hi,all

I have got several questions here,and maybe you can give me some advice.

What I am trying to do  is write a product which can communicate with ODBC Socket 
Server,
a win32 server application that allow applications to have access to Data Sources 
managed by Windows ODBC 
DataSource Administrator. And now a class written in python can communicate with ODBC 
Socket Server.
BTW,the class mentioned above  handles the connection to the server,sending SQL 
statement,and Receiving results.

As far as I know, in Zope,to access Data Sources,one must create a Database connection 
and  
ZSQLMethods associated with it to get the results. (but I have doubt about this,
IMHO,there must be some other way to do so,but what is it.).

Now,I am rather confused about how to solve the problem. 
First,is what I need to write a DA? or just a common product?
Second,if it's a DA, how can I use the existing class? I have read the article named 
"how to write a DA" in the how-tos,but it is quite abstract to me. 
Third,where can I find more about the DataBase Connection and ZSQLMethod ? especially 
on how they work together to access databases.

OK,I am not sure whether I have made me understood, in fact,I am not quite clear 
myself. if you have any questions about that,I will reply ASAP.

thanks for your great patience,I will be grateful if you can give me some advice.
thank you!

Best Wishes

yours sincerely
Steven Lee  
fŠ^
ëæj)eŠËY¢—ƒzüè¥ê+‚m§ÿåŠËlΊ^¢¸?™¨¥™©ÿ–+-Šwèÿ:)yׯ6‡+¢Ë)¢Ël¢±Ó0·§r‡bž^•«^vX¬¶Èm¶Ÿÿ–+-³:)zŠàþf¢–f§þX¬¶)ߣüè¥æ§ž‹§qèm¶Ÿÿ–+-³:)zŠàþf¢–f§þX¬¶)ߣüè¥