Re: [Zope] IIS and Zope share same problem :-S

2000-11-06 Thread Chris Withers

Pierre-Julien Grizel wrote:
 
 Hum... A possible way to solve this problem is to practice the "you
 can't do ANYTHING but..." policy... And, thus, according proxy roles to
 the methods that must access it, such as index_html.
 I know it's constraining but with a little work we can end up with
 something quite secure  secret.

It's not secret, you can still use /objectIds and /objectValues to find
out about things...
Secure, yes it is that.
But, it's a lot more than a little work.

What I was suggesting was something to do the grunt work of all this
with the same outcome.

oh well...

Chris

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] IIS and Zope share same problem :-S

2000-10-22 Thread Bill Anderson

Chris Withers wrote:
 
 Andrew Kenneth Milton wrote:
 
  |
  | http://www.zope.org/standard_html_header for example ;-)
 
  Not that old chestnut again...
 
 Yes, that old chestnut again. If it's considered a serious security flaw
 by Microsoft, maybe the Zope community should finally do something to
 solve it.
 
 ...and yes, there are discussions about this on Zope-dev right now,
 which will hopefully produce a solution :-)
 
 cheers,


As soon as you can tell us how to get Zope to go executing _files_ on
the server (read, in the filesystem), as opposed to objects in the
site I might accept it as the same bug.  :^)=

Then-again,-I-might-_use_-that-capability-if-I-could-ly y'rs Bill

--
E PLURIBUS LINUX


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] IIS and Zope share same problem :-S

2000-10-22 Thread Curtis Maloney

On Fri, 20 Oct 2000, Chris Withers wrote:
 Andrew Kenneth Milton wrote:
  | http://www.zope.org/standard_html_header for example ;-)
 
  Not that old chestnut again...

 Yes, that old chestnut again. If it's considered a serious security flaw
 by Microsoft, maybe the Zope community should finally do something to
 solve it.

 ...and yes, there are discussions about this on Zope-dev right now,
 wwhich will hopefully produce a solution :-)


Now, I may be missing the point of the fine grained access control of ZOPE, 
but knowing an objects ID is not at all the same as being able to access it, 
or even invoke it correctly.

The MS bug "allows access to any file on the webserver".  Whilst in ZOPE you 
may be able to enter the URL and invoke the object to some degree, unless you 
have the permissions to do whatever it does, what harm can you do? 

To me, this seems like more of a "patch by sensible admin" problem than a 
security hole.

 cheers,

 Chris


Have a better one,
Curtis Maloney.

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] IIS and Zope share same problem :-S

2000-10-20 Thread Andrew Kenneth Milton

+---[ Chris Withers ]--
|  MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE
|  by Dave Murphy, [EMAIL PROTECTED]
|  
|  Microsoft is scrambling to repair damage caused by a
|  security hole in its IIS 4  5 webserver that runs on
|  Windows NT/2000. Microsoft claims over four million
|  IIS websites, and each one of them is at risk of
|  releasing sensitive data through the security hole.
|  Called the "Web Server Folder Traversal" error, the
|  flaw allows users to execute files on an IIS website by
|  requesting a specific web address. 
| 
| http://www.zope.org/standard_html_header for example ;-)

Not that old chestnut again...

| http://www.zope.org/objectIds as another...

To be fair this is not the same as the bug described below.

| 
|  The bug allows access to any file on the webserver via
|  a specified URL. Like all webservers, IIS is supposed
|  to prevent access to files that aren't intended to be
|  part of the website.

Knowing the file is there is not the same as accessing it.

-- 
Totally Holistic Enterprises Internet|  P:+61 7 3870 0066   | Andrew Milton
The Internet (Aust) Pty Ltd  |  F:+61 7 3870 4477   | 
ACN: 082 081 472 ABN: 83 082 081 472 |  M:+61 416 022 411   | Carpe Daemon
PO Box 837 Indooroopilly QLD 4068|[EMAIL PROTECTED]| 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] IIS and Zope share same problem :-S

2000-10-20 Thread Pierre-Julien Grizel


Hum... A possible way to solve this problem is to practice the "you
can't do ANYTHING but..." policy... And, thus, according proxy roles to
the methods that must access it, such as index_html.
I know it's constraining but with a little work we can end up with
something quite secure  secret.




P.-J.



Chris Withers wrote:
 
  MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE
  by Dave Murphy, [EMAIL PROTECTED]
 
  Microsoft is scrambling to repair damage caused by a
  security hole in its IIS 4  5 webserver that runs on
  Windows NT/2000. Microsoft claims over four million
  IIS websites, and each one of them is at risk of
  releasing sensitive data through the security hole.
  Called the "Web Server Folder Traversal" error, the
  flaw allows users to execute files on an IIS website by
  requesting a specific web address.
 
 http://www.zope.org/standard_html_header for example ;-)
 http://www.zope.org/objectIds as another...
 
  The bug allows access to any file on the webserver via
  a specified URL. Like all webservers, IIS is supposed
  to prevent access to files that aren't intended to be
  part of the website.
 
 Maybe Zope should too
 
  This article is posted to http://itrain.org/itinfo/2000/it001017.html
 
  Live well, do good,
 
  --Dave Murphy
 
 cheers,
 
 Chris
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists -
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )

-- 
If the only tool you have is a hammer, 
you tend to see every problem as a nail.
Si le seul outil dont vous disposez est un marteau, 
vous avez tendance à voir chaque problème comme un clou. 
   --Abraham Maslow

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] IIS and Zope share same problem :-S

2000-10-20 Thread Ragnar Beer

As I already suggested ages ;) ago (and still didn't put into 
practice) it would here again be best to deny everything that isn't 
explicitly allowed (e.g. allow whatever ends with _html or .html and 
deny everything else) but then I would have to go over the whole 
website and make bazillions of changes ...

I fixed the problem temporarily by adding some 
"FilesMatch/LocationMatch + deny from all" in my httpd.conf. But what 
else do I have to deny apart from objectIds?

Ragnar

Andrew Kenneth Milton wrote:

  |
  | http://www.zope.org/standard_html_header for example ;-)

  Not that old chestnut again...

Yes, that old chestnut again. If it's considered a serious security flaw
by Microsoft, maybe the Zope community should finally do something to
solve it.

...and yes, there are discussions about this on Zope-dev right now,
which will hopefully produce a solution :-)

cheers,

Chris

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )