[Zope-dev] Remotely running in Control_Panel
Greg.Moore@zcsterling.com
Greg.Moore@zcsterling.com
Tue, 6 Nov 2001 09:16:11 -0500
I had a question for the group.
I am concerned that a remote user can attempt to run things in the
Control_Panel area.
----------------------------------------------------------------------------
-
Example (1)
An example is with Yihaw. I can run the following URL on a Zope system for
an installed product.
http://localhost:8080/Control_Panel/Products/YihawDirectory/YihawChannel_add
I Receive, Zope Error, Error Type: KeyError, Error Value: title (edited for
brevity).
Even though I got an error, I got some information about the system. Is
this not the beginning of a security problem?
----------------------------------------------------------------------------
-
Example (2)
With ZWiki I can do the following:
http://localhost:8080/Control_Panel/Products/ZWiki/basic-0.9.5/FrontPage
I get a full page for a site that doesn't exist.
----------------------------------------------------------------------------
-
In some instances (such as http://localhost:8080/Control_Panel) I get a
request to log into the administrative portion. Good!
Should I not always be required to log in? Is this an issue with Yihaw? An
issue with my permissions?
Thank you!
Greg Moore