-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jay Zeemer wrote: | Actually if you query the Zope web service to see what it supports it | tells you: | | Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, | PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK Most Zope objects are willing to respond to a TRACE request, but the implementation doesn't actually do what TRACE is mandated to: $ telnet www.zope.org 80 Trying 63.240.213.171... Connected to www.zope.org. Escape character is '^]'. TRACE / HTTP/1.1 Host: www.zope.org HTTP/1.0 405 Method Not Allowed The code (in webdav.Resource), looks like so: ~ def TRACE(self, REQUEST, RESPONSE): ~ """Return the HTTP message received back to the client as the ~ entity-body of a 200 (OK) response. This will often usually ~ be intercepted by the web server in use. If not, the TRACE ~ request will fail with a 405 (Method Not Allowed), since it ~ is not often possible to reproduce the HTTP request verbatim ~ from within the Zope environment.""" ~ self.dav__init(REQUEST, RESPONSE) ~ raise MethodNotAllowed, \ ~ 'Method not supported for this resource.' ZServer / ZPublisher don't add any support for TRACE, so you have no exploit to worry about. | TRACE allows for some XSS problems and I just want to make sure I | have the server locked down against as many vulnerbilities as I can. | I can not find any mention of the Zope Web Server supporting TRACE so | I am trying to find out if it actually does support it or if its just | reacting to the query. | | The tool I used is called Nikto, its just an HTTP assult tool. It | looks through a predefined list like Nessus, but restricts its self | to possible HTTP issues. It also plays a lot nicer on a network :) Tres. - -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCMdFSGqWXf00rNCgRAp5mAJ4vaJqvChUGQL2tsVIcKGRth5TuuQCfVWil MBTKOQ1or8pRrRE7MVBz8eo= =dzHM -----END PGP SIGNATURE-----