On Mon, Sep 24, 2001 at 10:59:11AM -0400, Shane Hathaway wrote:
Oliver Bleutgen wrote:
From a non-technical, PR-wise point of view let me add that this type of "vulnerability" easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities.
You're right, a quick search on google for "path disclosure vulnerability" yields a lot of hits for lots of applications.
It troubles me that people consider PDV to be important at all when the client-side trojan bug is still fully exploitable on all browsers including IE and Mozilla! (AFAIK) Client-side trojans, which can cause your browser to invisibly post a comment on a weblog, execute a financial transaction, or break into servers you maintain, are a major risk.
PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an "error.log" instead of sending the traceback to the browser. What do you think?
Yes, the error log approach is far preferable. But, it would be nice if the browser got a message something like: An error has occurred : (stuff above traceback information is printed). Refer your administrator to the error log key XXXXXXXXXXXX and then prepend each line of the error log for this item with XXXXXXXXXXXX. Then a simple grep would be enough to find the particular error in question. [And it might be really nice if errors were emailed to an administrator, as well as logged. If this is done, it would probably be desirable to have some sort of per folder property in which the proper contact(s) could be listed.] Jim Penny
Shane
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )