Virtual Host Monster Paranoia
Right, I really like the idea of these things but I am concerned about something that allows anonymous users to futz with traversal. Can someone put my fears to rest that using these won't let anonymous users do bad things to my sites? cheers, Chris
On Tue, 13 Feb 2001, Chris Withers wrote:
Right,
I really like the idea of these things but I am concerned about something that allows anonymous users to futz with traversal.
Can someone put my fears to rest that using these won't let anonymous users do bad things to my sites?
I use them in conjunction with Apache's mod_proxy to rewrite http://www.simpledomain.com to the long http://zopehost.foo.com/blah/blah/VirtualHostMonstser/blah/blah. The Zope host is behind a firewall, so anonymouse users cannot get to it directly. -Matt -- Matt Hamilton matth@netsight.co.uk Netsight Internet Solutions, Ltd. Business Vision on the Internet http://www.netsight.co.uk +44 (0)117 9090901 Web Hosting | Web Design | Domain Names | Co-location | DB Integration
Matt Hamilton wrote:
I use them in conjunction with Apache's mod_proxy to rewrite http://www.simpledomain.com to the long http://zopehost.foo.com/blah/blah/VirtualHostMonstser/blah/blah.
Okay, try going to this URL: http://www.simpledomain.com/VirtualHostBase/http/www.arse.com/VirtualHostRoo... cheers, Chris
On Tue, 13 Feb 2001 10:30:26 +0000 (GMT), Matt Hamilton <matth@netsight.co.uk> wrote:
I use them in conjunction with Apache's mod_proxy to rewrite http://www.simpledomain.com to the long http://zopehost.foo.com/blah/blah/VirtualHostMonstser/blah/blah. The Zope host is behind a firewall, so anonymouse users cannot get to it directly.
No, but they can get to: http://www.simpledomain.com/blah/VirtualHost/bad.stuff/blah which gets rewritten to: http://zopehost.foo.com/VirtualHost/http/www.simpledomain/blah/VirtualHost/b... Understanding its behaviour behaviour might be beyond the complexity threshold for a paranoid admin to be comfortable. Toby Dickenson tdickenson@geminidataloggers.com
Toby Dickenson wrote:
http://zopehost.foo.com/VirtualHost/http/www.simpledomain/blah/VirtualHost/b...
Understanding its behaviour behaviour might be beyond the complexity threshold for a paranoid admin to be comfortable.
Well, it's easy enough to find out if a site is running Zope, then this becomes pretty easy attack to think of.... (like objectIds, objectItems and ObjectValues used to be, they're great fun for poking your nose into other people's Zope sites and finding stuff you shouldn't ;-) cheers, Chris (the paranoid one ;-)
From: "Chris Withers" <chrisw@nipltd.com>
Well, it's easy enough to find out if a site is running Zope, then this becomes pretty easy attack to think of....
I'm not going to claim that this is perfectly harmless, but I can't think of any way in which this could be termed an "attack". You can already provide any traversal path you like in the URL; All VHM adds is the ability to manipulate generated URLs, and in fairly crude ways. These URLs come back to your browser in a page, where they have no more potential for harm than if you'd assembled them by hand. The only scenario I can imagine where this could even affect the operation of a site is one where the site uses URLs internally in some fashion. This is part of the reason that Zope has shifted from using URLs to paths when addressing objects, since paths are unaffected by URL manipulation. Cheers, Evan @ digicool & 4-am
Toby Dickenson wrote:
No, but they can get to:
http://www.simpledomain.com/blah/VirtualHost/bad.stuff/blah
which gets rewritten to:
http://zopehost.foo.com/VirtualHost/http/www.simpledomain/blah/VirtualHost/b...
If VHM doesn't do it already, patch it so that it rejects URLs with more than one VirtualHost part.
Understanding its behaviour behaviour might be beyond the complexity threshold for a paranoid admin to be comfortable.
Then again, there's the advantage of having something included as a standard part of Zope. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net
On Tue, 13 Feb 2001 10:24:54 +0000, Chris Withers <chrisw@nipltd.com> wrote:
I really like the idea of these things but I am concerned about something that allows anonymous users to futz with traversal.
Can someone put my fears to rest that using these won't let anonymous users do bad things to my sites?
I didnt realize V-H-M was coming in 2.3.0, and developed an alternative that fills a similar niche: http://www.zope.org/Members/htrd/howto/host-server This option has fewer 'moving parts' than anything based on SiteAccess (which I still feel uncomfortable with, sorry evan) Toby Dickenson tdickenson@geminidataloggers.com
participants (5)
-
Chris Withers -
Evan Simpson -
Matt Hamilton -
Steve Alexander -
Toby Dickenson