I don't know if this has been raised before, but the following excerpt
from the most recent SANS security alert concensus made me think:

---------- Forwarded message ----------
--> {00.31.014} Apache TomCat leaks system information

Apache's TomCat server has been found to provide various types of system
information to an attacker-such as full system paths being displayed in
error messages. TomCat also comes with the "snoop" servlet, which
provides even more detailed information about the system when invoked.


Obviously the 'snoop' servlet is the reason this was posted, but
still, they are calling full path information a security leak.
Not perhaps something to put high on a priority list, but should there
be a way to prevent full path information from appearing in
error messages?  It would have the side benefit of making the
error messages more readable <grin>.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to