> On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
>> > Vulnerability: attacking can get file list and directory
>> > Tested on Win32 platform
>> >
>> > Example:
>> > telnet zopeserver 8080
>> > PROPFIND / HTTP/1.0
>> > <enter>
>> > <enter>
>> > <enter>
>> >
>> > < list files and directory >
>> >
>> > This tested on my site:
>> > security.instock.ru 8080
>>
>> This one really seems to be the old "WebDAV is not safe" one. I guess it
>> has been tackled already. You should be able to switch the file listing
>> off
>> for the Anonymous User in Zope 2.4.1 ...
>>
>> Joachim
> I totally agree. Tracebacks should not be visible to anonymous users!
> Although I would hesitate to call this a vulnerability, it ranks up there
> with the old ability to call objectIds by URL as anonymous.
> The less information that anonymous users can glean about the server, the
> better.
From a non-technical, PR-wise point of view let me add that
this type of "vulnerability" easily gets zope mentioned on lists
like bugtraq. The perception is that these thing really are
vulnerabilities.
Proof:
17.9. A posting named "Yet another path disclosure vulnerability"
targeted at oracle 9i appserver,
and
21.9. "RM Security Advisory: Xcache Path Disclosure Vulnerability"
both of which describe exactly the analogon to how zope handles
things.
cheers,
oliver
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
