On Tue, Oct 14, 2003 at 04:18:17PM -0400, Tres Seaver wrote:
On Tue, 2003-10-14 at 16:08, Chris Pelton wrote:
Yes, that's what I'm thinking happened here, but I need to verify that was the case. Are there any logs in zope that could help track this down, or a known configuration that would allow it to happen? Also, for future reference, can we disable this? Any ideas how someone might be able to tell Zope is running?
I believe that the scenario Robert is describing does not actually involve Zope at all; rather, (in this scenario) Apache is willing to forward arbitrary traffic, via the 'CONNECT' verb. Check your Apache access logs for the HTTP verb, 'CONNECT'. Squid's default configs have specific settings to allow CONNECT only for HTTPS; I'm guessing that your Apache config might need to be tweaked likewise.
Yup, I don't think zope even *can* do something like that. I was guessing that the exploit was at the application level - somebody found a MailHost with wide-open permissions and abused it with a client script. -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's THE INTOXICATED GIRL! (random hero from isometric.spaceninja.com)