: [EMAIL PROTECTED]
Subject: Re: [Zope-dev] Vulnerability: attacking can get file list and
directory
Hi shane,
> Oliver Bleutgen wrote:
>> From a non-technical, PR-wise point of view let me add that
>> this type of "vulnerability" easily gets zope mentioned on lists
>>
Why not use logrotate, similarly to how you handle the Apache
logs? Or set a cron job to clear the logs, if you don't like logrotate...
[EMAIL PROTECTED] writes:
> On a high-traffic site, wouldn't the log get really big, really quickly with
> tracebacks? It is also nice to have t
Z2.py?
Anyway, that's my 3-mile high take on it...
Sean
-Original Message-
From: Shane Hathaway [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 7:59 AM
To: Oliver Bleutgen
Cc: [EMAIL PROTECTED]
Subject: Re: [Zope-dev] Vulnerability: attacking can get file list and
director
On Monday 24 September 2001 10:59 am, Shane Hathaway allegedly wrote:
[snip]
> PDV just yields information you might give out anyway. But maybe we
> could deal with it anyway by writing an "error.log" instead of sending
> the traceback to the browser. What do you think?
>
> Shane
>
My suggestio
Hi shane,
> Oliver Bleutgen wrote:
>> From a non-technical, PR-wise point of view let me add that
>> this type of "vulnerability" easily gets zope mentioned on lists
>> like bugtraq. The perception is that these thing really are
>> vulnerabilities.
> You're right, a quick search on google for
marc lindahl wrote:
>
> Be careful of that -- I recently got *flooded* with error emails from a
> recent bout of the Code Red worm looking for files that weren't on my server
> :(
Yup, had that too... I patched BaseRequest.py to not bitch ;-)
Mindyou I surpassed myself with a similar thing with
> From: Chris Withers <[EMAIL PROTECTED]>
>
> The traceback should _not_ be _appended_ to the error message. If an app
> developer chooses to show it, then fine they can as they do already (mine
> sends
> me an error email ;-), but why should it be appended in all circumstances
Be careful of th
Shane Hathaway wrote:
>
> PDV just yields information you might give out anyway. But maybe we
> could deal with it anyway by writing an "error.log" instead of sending
> the traceback to the browser. What do you think?
Well, how about just changing the brain-dead way standard_error_message work
On Mon, Sep 24, 2001 at 10:59:11AM -0400, Shane Hathaway wrote:
> Oliver Bleutgen wrote:
>
> >From a non-technical, PR-wise point of view let me add that
> >this type of "vulnerability" easily gets zope mentioned on lists
> >like bugtraq. The perception is that these thing really are
> >vulnerab
Shane Hathaway wrote:
> [...]
> PDV just yields information you might give out anyway. But maybe we
> could deal with it anyway by writing an "error.log" instead of sending
> the traceback to the browser. What do you think?
I think it's fine, but only if specified on the z2.py cmdline or
Oliver Bleutgen wrote:
> From a non-technical, PR-wise point of view let me add that
> this type of "vulnerability" easily gets zope mentioned on lists
> like bugtraq. The perception is that these thing really are
> vulnerabilities.
You're right, a quick search on google for "path disclosure
> On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
>> > Vulnerability: attacking can get file list and directory
>> > Tested on Win32 platform
>> >
>> > Example:
>> > telnet zopeserver 8080
>> > PROPFIND / HTTP/1.0
>> >
>> >
>> >
>> >
>> > < list files and directory >
>> >
On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
> > Vulnerability: attacking can get file list and directory
> > Tested on Win32 platform
> >
> > Example:
> > telnet zopeserver 8080
> > PROPFIND / HTTP/1.0
> >
> >
> >
> >
> > < list files and directory >
> >
> > This teste
> Vulnerability: attacking can get file list and directory
> Tested on Win32 platform
>
> Example:
> telnet zopeserver 8080
> PROPFIND / HTTP/1.0
>
>
>
>
> < list files and directory >
>
> This tested on my site:
> security.instock.ru 8080
This one really seems to be the old "WebDAV is not sa
Vulnerability: attacking can get file list and directory
Tested on Win32 platform
Example:
telnet zopeserver 8080
PROPFIND / HTTP/1.0
< list files and directory >
This tested on my site:
security.instock.ru 8080
___
Zope-Dev maillist - [EMAIL P
15 matches
Mail list logo