On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
Vulnerability: attacking can get file list and directory Tested on Win32 platform
Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 <enter> <enter> <enter>
< list files and directory >
This tested on my site: security.instock.ru 8080
This one really seems to be the old "WebDAV is not safe" one. I guess it has been tackled already. You should be able to switch the file listing off for the Anonymous User in Zope 2.4.1 ...
Joachim
I totally agree. Tracebacks should not be visible to anonymous users! Although I would hesitate to call this a vulnerability, it ranks up there with the old ability to call objectIds by URL as anonymous.
The less information that anonymous users can glean about the server, the better.
From a non-technical, PR-wise point of view let me add that this type of "vulnerability" easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities. Proof: 17.9. A posting named "Yet another path disclosure vulnerability" targeted at oracle 9i appserver, and 21.9. "RM Security Advisory: Xcache Path Disclosure Vulnerability" both of which describe exactly the analogon to how zope handles things. cheers, oliver