Re: [Zope-dev] Vulnerability: attacking can get file list and directory
On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
Vulnerability: attacking can get file list and directory Tested on Win32 platform
Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 <enter> <enter> <enter>
< list files and directory >
This tested on my site: security.instock.ru 8080
This one really seems to be the old "WebDAV is not safe" one. I guess it has been tackled already. You should be able to switch the file listing off for the Anonymous User in Zope 2.4.1 ...
Joachim
I totally agree. Tracebacks should not be visible to anonymous users! Although I would hesitate to call this a vulnerability, it ranks up there with the old ability to call objectIds by URL as anonymous.
The less information that anonymous users can glean about the server, the better.
From a non-technical, PR-wise point of view let me add that this type of "vulnerability" easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities. Proof: 17.9. A posting named "Yet another path disclosure vulnerability" targeted at oracle 9i appserver, and 21.9. "RM Security Advisory: Xcache Path Disclosure Vulnerability" both of which describe exactly the analogon to how zope handles things. cheers, oliver
Oliver Bleutgen wrote:
From a non-technical, PR-wise point of view let me add that this type of "vulnerability" easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities.
You're right, a quick search on google for "path disclosure vulnerability" yields a lot of hits for lots of applications. It troubles me that people consider PDV to be important at all when the client-side trojan bug is still fully exploitable on all browsers including IE and Mozilla! (AFAIK) Client-side trojans, which can cause your browser to invisibly post a comment on a weblog, execute a financial transaction, or break into servers you maintain, are a major risk. PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an "error.log" instead of sending the traceback to the browser. What do you think? Shane
Shane Hathaway wrote:
[...] PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an "error.log" instead of sending the traceback to the browser. What do you think?
I think it's fine, but only if specified on the z2.py cmdline or other configuration equivalent (--paranoid or PARANOID="yes, please!" come to mind :-). But I guess that goes without saying. Alternatively (or concurrently) we could reformat the traceback to report file names relative to Zope instalation directory (or to INSTANCE_HOME) instead of reporting the absolute filename. In this case the only leaked information is of the kind an attacker could easily obtain from downloading Zope source code, which, last time I looked, was available for all those damned script kiddies to download. Damn these opensource projects who keep posting their source code allowing Hackers(TM) to look at its vulnerabilities :-) Cheers, Leo
On Mon, Sep 24, 2001 at 10:59:11AM -0400, Shane Hathaway wrote:
Oliver Bleutgen wrote:
From a non-technical, PR-wise point of view let me add that this type of "vulnerability" easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities.
You're right, a quick search on google for "path disclosure vulnerability" yields a lot of hits for lots of applications.
It troubles me that people consider PDV to be important at all when the client-side trojan bug is still fully exploitable on all browsers including IE and Mozilla! (AFAIK) Client-side trojans, which can cause your browser to invisibly post a comment on a weblog, execute a financial transaction, or break into servers you maintain, are a major risk.
PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an "error.log" instead of sending the traceback to the browser. What do you think?
Yes, the error log approach is far preferable. But, it would be nice if the browser got a message something like: An error has occurred : (stuff above traceback information is printed). Refer your administrator to the error log key XXXXXXXXXXXX and then prepend each line of the error log for this item with XXXXXXXXXXXX. Then a simple grep would be enough to find the particular error in question. [And it might be really nice if errors were emailed to an administrator, as well as logged. If this is done, it would probably be desirable to have some sort of per folder property in which the proper contact(s) could be listed.] Jim Penny
Shane
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Shane Hathaway wrote:
PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an "error.log" instead of sending the traceback to the browser. What do you think?
Well, how about just changing the brain-dead way standard_error_message works? The traceback should _not_ be _appended_ to the error message. If an app developer chooses to show it, then fine they can as they do already (mine sends me an error email ;-), but why should it be appended in all circumstances (even if it is in html quoting on production servers?!) Oh yeah, Authentication exceptions shouldn't return a hard coded error message either... bah humbug ;-) Chris
From: Chris Withers <chrisw@nipltd.com>
The traceback should _not_ be _appended_ to the error message. If an app developer chooses to show it, then fine they can as they do already (mine sends me an error email ;-), but why should it be appended in all circumstances
Be careful of that -- I recently got *flooded* with error emails from a recent bout of the Code Red worm looking for files that weren't on my server :(
marc lindahl wrote:
Be careful of that -- I recently got *flooded* with error emails from a recent bout of the Code Red worm looking for files that weren't on my server :(
Yup, had that too... I patched BaseRequest.py to not bitch ;-) Mindyou I surpassed myself with a similar thing with a bit of Notes/Zope integration that resulted in me gettign 17,000 emails oen sunny morning... At least I know we have a decent mail server ;-) Chris
On Monday 24 September 2001 10:59 am, Shane Hathaway allegedly wrote: [snip]
PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an "error.log" instead of sending the traceback to the browser. What do you think?
Shane
My suggestion would be to hide it for all users except Managers by default. So that you aren't hosed if you don't have access to the server log files... /---------------------------------------------------\ Casey Duncan, Sr. Web Developer National Legal Aid and Defender Association c.duncan@nlada.org \---------------------------------------------------/
participants (7)
-
Casey Duncan -
Chris Withers -
Jim Penny -
Leonardo Rochael Almeida -
marc lindahl -
Oliver Bleutgen -
Shane Hathaway