Hello,

We just discovered that when using VirtualHostMonster in apache
RewriteRules, it is possible to access every content in the zope
instance. If the URL points to a subfolder, just like
http://localhost:9080/VirtualHostBase/http/www.name.com:80/subfolder/VirtualHostRoot/$1
then it's still possible to access content below that subfolder on the
instance. If $1 is some foldername that doesn't exist in the subfolder
bug instead in the root folder of the instance, it's content is returned.

An example to make it explicit:

Let's assume we have three directories in the root folder of the
instance: /project1, /project2 and /project3.

The VirtualHostMonster is used to access project2 directly via
www.project2.com:
RewriteRule ^/(.*) 
http://localhost:9080/VirtualHostBase/http/www.project2.com:80/project2/VirtualHostRoot/$1
 [P]

But both project1 and project3 are also accessible through project2.com
over the URLs "http://www.project2.com/project1"; and
"http://www.project3.com/project3";.

Is this a known issue? I consider that as a quite serious bug, as both
project1 and project3 might be private and should not be published over
the globally available apache rewriterule.

We do use zope2.10.5 on a debian/etch system.

greetings,
 jonas
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to