[Zope-dev] Virtual Host Monster Paranoia

Evan Simpson evan@4-am.com
Tue, 13 Feb 2001 09:18:00 -0500


From: "Chris Withers" <chrisw@nipltd.com>
> Well, it's easy enough to find out if a site is running Zope, then this
becomes
> pretty easy attack to think of....

I'm not going to claim that this is perfectly harmless, but I can't think of
any way in which this could be termed an "attack".  You can already provide
any traversal path you like in the URL; All VHM adds is the ability to
manipulate generated URLs, and in fairly crude ways.  These URLs come back
to your browser in a page, where they have no more potential for harm than
if you'd assembled them by hand.

The only scenario I can imagine where this could even affect the operation
of a site is one where the site uses URLs internally in some fashion.  This
is part of the reason that Zope has shifted from using URLs to paths when
addressing objects, since paths are unaffected by URL manipulation.

Cheers,

Evan @ digicool & 4-am