Ricardo Anguiano wrote:
I am unclear on the problem. I am not using a cache.
If you're not using a cache then you shouldn't be vulnerable. I'd suggest using a protective configuration regardless though.
a cache, wouldn't the "tainted" URIs just fill my cache with garbage and degrade performance?
Well cache poisoning is a little bit more annoying than that--it would allow an attacker to make your site look like trash for subsequent visitors (or worse given the issues described in issue 813, but thats a different bug).
Can you describe a situation where the configuration is broken and allows plaintext transmissions?
If I can find a spot in the zope source where there exists a management method that doesn't have the word 'manage' in it, yes. I don't know of one off the top of my head though. I'm just saying that assuming that all ttw methods contain 'manage' somewhere in them may be a brash assumption. (Especially if you have 3rd party products installed.)
Do you have a pointer to an example?
Well, consider the follow apache configuration fragment: # this vhost requires a valid client cert SSLVerifyClient require # ^/zope* is proxied to a local zserver RewriteRule ^/zope(.*) http://127.0.0.1:8080/VirtualHostBase/https/example.com:443/VirtualHostRoot/... [P,L] # ^/zope* is considered a protected realm, only clients who's DN # appears in the 'passwd' file will be allowed entry, proxy requests # sent to zserver will include an auth header constructed from the DN # and the password 'password' <Location "/zope"> SSLOptions FakeBasicAuth AuthName "Zope Management" AuthType Basic AuthUserFile passwd require valid-user </Location> Now the obvious issue with this is that every user's password is "password" and their username is their DN (which tends to be long and look ugly in the ZMI, but thats just cosmetic). I dunno, I may just ditch this line of thought entirely as I can't see any way to make this a safe practice on a multiuser machine without reverting to unix domain sockets, and that requires hacking the hell out of mod_rewrite or possibly mod_proxy. This probably just isn't worth all the effort. -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa