[Zope-dev] Are full pathnames in error messages a security bug?

R. David Murray rdmurray@bitdance.com
Mon, 31 Jul 2000 13:39:33 -0400 (EDT)


I don't know if this has been raised before, but the following excerpt
from the most recent SANS security alert concensus made me think:

---------- Forwarded message ----------
[...]
--> {00.31.014} Apache TomCat leaks system information

Apache's TomCat server has been found to provide various types of system
information to an attacker-such as full system paths being displayed in
error messages. TomCat also comes with the "snoop" servlet, which
provides even more detailed information about the system when invoked.

----------------------------------------

Obviously the 'snoop' servlet is the reason this was posted, but
still, they are calling full path information a security leak.
Not perhaps something to put high on a priority list, but should there
be a way to prevent full path information from appearing in
error messages?  It would have the side benefit of making the
error messages more readable <grin>.

--RDM