Hum... A possible way to solve this problem is to practice the "you can't do ANYTHING but..." policy... And, thus, according proxy roles to the methods that must access it, such as index_html. I know it's constraining but with a little work we can end up with something quite secure & secret. P.-J. Chris Withers wrote:
MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE by Dave Murphy, member@itrain.org
Microsoft is scrambling to repair damage caused by a security hole in its IIS 4 & 5 webserver that runs on Windows NT/2000. Microsoft claims over four million IIS websites, and each one of them is at risk of releasing sensitive data through the security hole. Called the "Web Server Folder Traversal" error, the flaw allows users to execute files on an IIS website by requesting a specific web address.
http://www.zope.org/standard_html_header for example ;-) http://www.zope.org/objectIds as another...
The bug allows access to any file on the webserver via a specified URL. Like all webservers, IIS is supposed to prevent access to files that aren't intended to be part of the website.
Maybe Zope should too....
This article is posted to http://itrain.org/itinfo/2000/it001017.html
Live well, do good,
--Dave Murphy
cheers,
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- If the only tool you have is a hammer, you tend to see every problem as a nail. Si le seul outil dont vous disposez est un marteau, vous avez tendance à voir chaque problème comme un clou. --Abraham Maslow