On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
> > Vulnerability: attacking can get file list and directory
> > Tested on Win32 platform
> >
> > Example:
> > telnet zopeserver 8080
> > PROPFIND / HTTP/1.0
> > <enter>
> > <enter>
> > <enter>
> >
> > < list files and directory >
> >
> > This tested on my site:
> > security.instock.ru 8080
>
> This one really seems to be the old "WebDAV is not safe" one. I guess it
> has been tackled already. You should be able to switch the file listing off
> for the Anonymous User in Zope 2.4.1 ...
>
> Joachim

I totally agree. Tracebacks should not be visible to anonymous users! 
Although I would hesitate to call this a vulnerability, it ranks up there 
with the old ability to call objectIds by URL as anonymous.

The less information that anonymous users can glean about the server, the 
better.

/---------------------------------------------------\
  Casey Duncan, Sr. Web Developer
  National Legal Aid and Defender Association
  [EMAIL PROTECTED]
\---------------------------------------------------/

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to