I don't know if this has been raised before, but the following excerpt
from the most recent SANS security alert concensus made me think:
---------- Forwarded message ----------
[...]
--> {00.31.014} Apache TomCat leaks system information
Apache's TomCat server has been found to provide various types of system
information to an attacker-such as full system paths being displayed in
error messages. TomCat also comes with the "snoop" servlet, which
provides even more detailed information about the system when invoked.
----------------------------------------
Obviously the 'snoop' servlet is the reason this was posted, but
still, they are calling full path information a security leak.
Not perhaps something to put high on a priority list, but should there
be a way to prevent full path information from appearing in
error messages? It would have the side benefit of making the
error messages more readable <grin>.
--RDM
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
