Hi, probably the HelpSys object shouldn't be available by default to non-authenticated users, because it gives too much information on the currently installed products. access any Zope site this way : http://your.zope.site/HelpSys and you'll learn what products are available on the server. This can't lead to a direct compromise, but this gives way too much information to anonymous users IMHO. Tested today on several low and very high profile sites. bye, Jerome Alet
Jerome Alet wrote:
probably the HelpSys object shouldn't be available by default to non-authenticated users, because it gives too much information on the currently installed products.
access any Zope site this way :
and you'll learn what products are available on the server.
Another way to gather this data would be: http://YourServer/Control_Panel/Products/ExternalEditor gives Anoynmous the ZopeStartPage if ExternalEditor is installed and a SiteError if not. -mj
http://YourServer/Control_Panel/Products/ExternalEditor
gives Anoynmous the ZopeStartPage if ExternalEditor is installed and a SiteError if not.
I believe this particular item can be worked around to a degree. In the index_html in the root folder I simply put: <dtml-raise NotFound>index_html</dtml-raise> This helps hide the fact that certain objects are present, but it doesn't protect from the HelpSys or other kinds of acquisition treachery. Ofcourse I can get away with this because I didn't need my root index_html for content... if you have your site set up differently you may have to wrap that with some URI checks first. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy
participants (3)
-
Jamie Heilman -
Jerome Alet -
Maik Jablonski