RE: [Zope-dev] Vulnerability: attacking can get file list and directory
Personally, I think this really should be an integration issue instead of a Zope issue: use a front-end proxy server (i.e. Squid) and set up ACLs to prevent this... Sean -Original Message- From: Oliver Bleutgen [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 9:10 AM To: [EMAIL PROTECTED] Subject: Re: [Zope-dev] Vulnerability: attacking can get file list and directory Hi shane, > Oliver Bleutgen wrote: >> From a non-technical, PR-wise point of view let me add that >> this type of "vulnerability" easily gets zope mentioned on lists >> like bugtraq. The perception is that these thing really are >> vulnerabilities. > You're right, a quick search on google for "path disclosure > vulnerability" yields a lot of hits for lots of applications. > It troubles me that people consider PDV to be important at all when the > client-side trojan bug is still fully exploitable on all browsers > including IE and Mozilla! (AFAIK) Client-side trojans, which can cause > your browser to invisibly post a comment on a weblog, execute a > financial transaction, or break into servers you maintain, are a major > risk. I had put something about that theme at the client-side trojan wiki, put I'll repeat myself since you mentioned it ... Methinks the creators of the http/1.1 rfc were aware of the dangers we call client-side trojan and wrote the following: " 9.1.1 Safe Methods Implementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others. In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested. Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them. " Zope really should not accept GET requests to dangerous manage_* (or other) methods, that would ensure it's at least compliant with the spirit of that rfc. If the user decides to use a browser which allows javascript to auto-submit forms and stuff, it's his choice. I have a feeling that other ideas like checking referer etc. are bound to fail after one or two generations of new browsers. We should have in mind that the same people who will design these browsers already had the bright idea of implementing auto-submitting of hidden forms. > PDV just yields information you might give out anyway. But maybe we > could deal with it anyway by writing an "error.log" instead of sending > the traceback to the browser. What do you think? I fear it would make working with zope harder for unexperienced users. When working with apache/perl on linux, I always had a tail -f /var/log/httpd/error.log running in a terminal, but if you're solely working on windows without using the power of cygwin or other tools, this might get tedious. What I would like to see is a error "product" which can be freely configured to show more or less details depending on its context (i.e. user/role etc.) and able to optionally write to a log file. I know this is a lot of work and has its technical problems, but it's a nice imagination. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Why not use logrotate, similarly to how you handle the Apache logs? Or set a cron job to clear the logs, if you don't like logrotate... [EMAIL PROTECTED] writes: > On a high-traffic site, wouldn't the log get really big, really quickly with > tracebacks? It is also nice to have the tracebacks in the browser window > for debugging... ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Vulnerability: attacking can get file list and directory
On a high-traffic site, wouldn't the log get really big, really quickly with tracebacks? It is also nice to have the tracebacks in the browser window for debugging... Why not just enable tracebacks to clients from trusted IP address ranges or domains... Set this up as an option in Z2.py? Anyway, that's my 3-mile high take on it... Sean -Original Message- From: Shane Hathaway [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 7:59 AM To: Oliver Bleutgen Cc: [EMAIL PROTECTED] Subject: Re: [Zope-dev] Vulnerability: attacking can get file list and directory Oliver Bleutgen wrote: > From a non-technical, PR-wise point of view let me add that > this type of "vulnerability" easily gets zope mentioned on lists > like bugtraq. The perception is that these thing really are > vulnerabilities. You're right, a quick search on google for "path disclosure vulnerability" yields a lot of hits for lots of applications. It troubles me that people consider PDV to be important at all when the client-side trojan bug is still fully exploitable on all browsers including IE and Mozilla! (AFAIK) Client-side trojans, which can cause your browser to invisibly post a comment on a weblog, execute a financial transaction, or break into servers you maintain, are a major risk. PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an "error.log" instead of sending the traceback to the browser. What do you think? Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
On Monday 24 September 2001 10:59 am, Shane Hathaway allegedly wrote: [snip] > PDV just yields information you might give out anyway. But maybe we > could deal with it anyway by writing an "error.log" instead of sending > the traceback to the browser. What do you think? > > Shane > My suggestion would be to hide it for all users except Managers by default. So that you aren't hosed if you don't have access to the server log files... /---\ Casey Duncan, Sr. Web Developer National Legal Aid and Defender Association [EMAIL PROTECTED] \---/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Hi shane, > Oliver Bleutgen wrote: >> From a non-technical, PR-wise point of view let me add that >> this type of "vulnerability" easily gets zope mentioned on lists >> like bugtraq. The perception is that these thing really are >> vulnerabilities. > You're right, a quick search on google for "path disclosure > vulnerability" yields a lot of hits for lots of applications. > It troubles me that people consider PDV to be important at all when the > client-side trojan bug is still fully exploitable on all browsers > including IE and Mozilla! (AFAIK) Client-side trojans, which can cause > your browser to invisibly post a comment on a weblog, execute a > financial transaction, or break into servers you maintain, are a major > risk. I had put something about that theme at the client-side trojan wiki, put I'll repeat myself since you mentioned it ... Methinks the creators of the http/1.1 rfc were aware of the dangers we call client-side trojan and wrote the following: " 9.1.1 Safe Methods Implementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others. In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested. Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them. " Zope really should not accept GET requests to dangerous manage_* (or other) methods, that would ensure it's at least compliant with the spirit of that rfc. If the user decides to use a browser which allows javascript to auto-submit forms and stuff, it's his choice. I have a feeling that other ideas like checking referer etc. are bound to fail after one or two generations of new browsers. We should have in mind that the same people who will design these browsers already had the bright idea of implementing auto-submitting of hidden forms. > PDV just yields information you might give out anyway. But maybe we > could deal with it anyway by writing an "error.log" instead of sending > the traceback to the browser. What do you think? I fear it would make working with zope harder for unexperienced users. When working with apache/perl on linux, I always had a tail -f /var/log/httpd/error.log running in a terminal, but if you're solely working on windows without using the power of cygwin or other tools, this might get tedious. What I would like to see is a error "product" which can be freely configured to show more or less details depending on its context (i.e. user/role etc.) and able to optionally write to a log file. I know this is a lot of work and has its technical problems, but it's a nice imagination. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
marc lindahl wrote: > > Be careful of that -- I recently got *flooded* with error emails from a > recent bout of the Code Red worm looking for files that weren't on my server > :( Yup, had that too... I patched BaseRequest.py to not bitch ;-) Mindyou I surpassed myself with a similar thing with a bit of Notes/Zope integration that resulted in me gettign 17,000 emails oen sunny morning... At least I know we have a decent mail server ;-) Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
> From: Chris Withers <[EMAIL PROTECTED]> > > The traceback should _not_ be _appended_ to the error message. If an app > developer chooses to show it, then fine they can as they do already (mine > sends > me an error email ;-), but why should it be appended in all circumstances Be careful of that -- I recently got *flooded* with error emails from a recent bout of the Code Red worm looking for files that weren't on my server :( ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Shane Hathaway wrote: > > PDV just yields information you might give out anyway. But maybe we > could deal with it anyway by writing an "error.log" instead of sending > the traceback to the browser. What do you think? Well, how about just changing the brain-dead way standard_error_message works? The traceback should _not_ be _appended_ to the error message. If an app developer chooses to show it, then fine they can as they do already (mine sends me an error email ;-), but why should it be appended in all circumstances (even if it is in html quoting on production servers?!) Oh yeah, Authentication exceptions shouldn't return a hard coded error message either... bah humbug ;-) Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
On Mon, Sep 24, 2001 at 10:59:11AM -0400, Shane Hathaway wrote: > Oliver Bleutgen wrote: > > >From a non-technical, PR-wise point of view let me add that > >this type of "vulnerability" easily gets zope mentioned on lists > >like bugtraq. The perception is that these thing really are > >vulnerabilities. > > > You're right, a quick search on google for "path disclosure > vulnerability" yields a lot of hits for lots of applications. > > It troubles me that people consider PDV to be important at all when the > client-side trojan bug is still fully exploitable on all browsers > including IE and Mozilla! (AFAIK) Client-side trojans, which can cause > your browser to invisibly post a comment on a weblog, execute a > financial transaction, or break into servers you maintain, are a major risk. > > PDV just yields information you might give out anyway. But maybe we > could deal with it anyway by writing an "error.log" instead of sending > the traceback to the browser. What do you think? Yes, the error log approach is far preferable. But, it would be nice if the browser got a message something like: An error has occurred : (stuff above traceback information is printed). Refer your administrator to the error log key and then prepend each line of the error log for this item with . Then a simple grep would be enough to find the particular error in question. [And it might be really nice if errors were emailed to an administrator, as well as logged. If this is done, it would probably be desirable to have some sort of per folder property in which the proper contact(s) could be listed.] Jim Penny > > Shane > > > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Shane Hathaway wrote: > [...] > PDV just yields information you might give out anyway. But maybe we > could deal with it anyway by writing an "error.log" instead of sending > the traceback to the browser. What do you think? I think it's fine, but only if specified on the z2.py cmdline or other configuration equivalent (--paranoid or PARANOID="yes, please!" come to mind :-). But I guess that goes without saying. Alternatively (or concurrently) we could reformat the traceback to report file names relative to Zope instalation directory (or to INSTANCE_HOME) instead of reporting the absolute filename. In this case the only leaked information is of the kind an attacker could easily obtain from downloading Zope source code, which, last time I looked, was available for all those damned script kiddies to download. Damn these opensource projects who keep posting their source code allowing Hackers(TM) to look at its vulnerabilities :-) Cheers, Leo ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Oliver Bleutgen wrote: > From a non-technical, PR-wise point of view let me add that > this type of "vulnerability" easily gets zope mentioned on lists > like bugtraq. The perception is that these thing really are > vulnerabilities. You're right, a quick search on google for "path disclosure vulnerability" yields a lot of hits for lots of applications. It troubles me that people consider PDV to be important at all when the client-side trojan bug is still fully exploitable on all browsers including IE and Mozilla! (AFAIK) Client-side trojans, which can cause your browser to invisibly post a comment on a weblog, execute a financial transaction, or break into servers you maintain, are a major risk. PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an "error.log" instead of sending the traceback to the browser. What do you think? Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
> On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote: >> > Vulnerability: attacking can get file list and directory >> > Tested on Win32 platform >> > >> > Example: >> > telnet zopeserver 8080 >> > PROPFIND / HTTP/1.0 >> > >> > >> > >> > >> > < list files and directory > >> > >> > This tested on my site: >> > security.instock.ru 8080 >> >> This one really seems to be the old "WebDAV is not safe" one. I guess it >> has been tackled already. You should be able to switch the file listing >> off >> for the Anonymous User in Zope 2.4.1 ... >> >> Joachim > I totally agree. Tracebacks should not be visible to anonymous users! > Although I would hesitate to call this a vulnerability, it ranks up there > with the old ability to call objectIds by URL as anonymous. > The less information that anonymous users can glean about the server, the > better. From a non-technical, PR-wise point of view let me add that this type of "vulnerability" easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities. Proof: 17.9. A posting named "Yet another path disclosure vulnerability" targeted at oracle 9i appserver, and 21.9. "RM Security Advisory: Xcache Path Disclosure Vulnerability" both of which describe exactly the analogon to how zope handles things. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote: > > Vulnerability: attacking can get file list and directory > > Tested on Win32 platform > > > > Example: > > telnet zopeserver 8080 > > PROPFIND / HTTP/1.0 > > > > > > > > > > < list files and directory > > > > > This tested on my site: > > security.instock.ru 8080 > > This one really seems to be the old "WebDAV is not safe" one. I guess it > has been tackled already. You should be able to switch the file listing off > for the Anonymous User in Zope 2.4.1 ... > > Joachim I totally agree. Tracebacks should not be visible to anonymous users! Although I would hesitate to call this a vulnerability, it ranks up there with the old ability to call objectIds by URL as anonymous. The less information that anonymous users can glean about the server, the better. /---\ Casey Duncan, Sr. Web Developer National Legal Aid and Defender Association [EMAIL PROTECTED] \---/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
> Vulnerability: attacking can get file list and directory > Tested on Win32 platform > > Example: > telnet zopeserver 8080 > PROPFIND / HTTP/1.0 > > > > > < list files and directory > > > This tested on my site: > security.instock.ru 8080 This one really seems to be the old "WebDAV is not safe" one. I guess it has been tackled already. You should be able to switch the file listing off for the Anonymous User in Zope 2.4.1 ... Joachim ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Vulnerability: attacking can get file list and directory
Vulnerability: attacking can get file list and directory Tested on Win32 platform Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 < list files and directory > This tested on my site: security.instock.ru 8080 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )