RE: [Zope] Does Zope support HTTP Trace method??
Actually if you query the Zope web service to see what it supports it tells you: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK TRACE allows for some XSS problems and I just want to make sure I have the server locked down against as many vulnerbilities as I can. I can not find any mention of the Zope Web Server supporting TRACE so I am trying to find out if it actually does support it or if its just reacting to the query. The tool I used is called Nikto, its just an HTTP assult tool. It looks through a predefined list like Nessus, but restricts its self to possible HTTP issues. It also plays a lot nicer on a network :) Jay -----Original Message----- From: Chris Withers [mailto:chris@simplistix.co.uk] Sent: Friday, March 11, 2005 10:35 AM To: Jay Zeemer Cc: 'zope@zope.org' List Mailing Subject: Re: [Zope] Does Zope support HTTP Trace method?? Jay Zeemer wrote:
In a lot of HTTP servers there is a method used for debugging sessions and such called TRACE. Does Zope support this?? And if so is it active, or inactive by default?? How can I turn this on and off??
I'm not aware of any TRACE support in Zope. You run it behind Apache maybe? You been poking with Nessus? ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jay Zeemer wrote: | Actually if you query the Zope web service to see what it supports it | tells you: | | Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, | PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK Most Zope objects are willing to respond to a TRACE request, but the implementation doesn't actually do what TRACE is mandated to: $ telnet www.zope.org 80 Trying 63.240.213.171... Connected to www.zope.org. Escape character is '^]'. TRACE / HTTP/1.1 Host: www.zope.org HTTP/1.0 405 Method Not Allowed The code (in webdav.Resource), looks like so: ~ def TRACE(self, REQUEST, RESPONSE): ~ """Return the HTTP message received back to the client as the ~ entity-body of a 200 (OK) response. This will often usually ~ be intercepted by the web server in use. If not, the TRACE ~ request will fail with a 405 (Method Not Allowed), since it ~ is not often possible to reproduce the HTTP request verbatim ~ from within the Zope environment.""" ~ self.dav__init(REQUEST, RESPONSE) ~ raise MethodNotAllowed, \ ~ 'Method not supported for this resource.' ZServer / ZPublisher don't add any support for TRACE, so you have no exploit to worry about. | TRACE allows for some XSS problems and I just want to make sure I | have the server locked down against as many vulnerbilities as I can. | I can not find any mention of the Zope Web Server supporting TRACE so | I am trying to find out if it actually does support it or if its just | reacting to the query. | | The tool I used is called Nikto, its just an HTTP assult tool. It | looks through a predefined list like Nessus, but restricts its self | to possible HTTP issues. It also plays a lot nicer on a network :) Tres. - -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCMdFSGqWXf00rNCgRAp5mAJ4vaJqvChUGQL2tsVIcKGRth5TuuQCfVWil MBTKOQ1or8pRrRE7MVBz8eo= =dzHM -----END PGP SIGNATURE-----
participants (2)
-
Jay Zeemer -
Tres Seaver