On Tue, Nov 15, 2005 at 11:02:06AM +0000, Chris Withers wrote:
| Philipp von Weitershausen wrote:
| >True, it's not the nicest solution. But you could make it safer by first
| >stripping the according request variable from the QUERY_STRING.
| >mod_rewrite is quite powerful in that respect.
| Is it just me, or should a deep feeling of uneasiness accompany the 
| extraction of authentication credentials from a query string? ;-)

It's not just you.  :-)

The hole this creates is:  someone makes an HTTP request directly to
Zope bypassing apache altogether.  This request could simply present
any username desired.

Some ways to limit the exposure of the hole is to have zope listen on
the loopback interface only.  Then prevent all shell access on the
system.  The only remaining hole at this point is if someone can
abuse some other network-accessible service and coerce it into making
the request (or to open a back door).


Bugs come in through open windows. Keep Windows shut!
www: http://dman13.dyndns.org/~dman/            jabber: [EMAIL PROTECTED]

Attachment: signature.asc
Description: Digital signature

Zope3-users mailing list

Reply via email to