[Zope-dev] Vulnerability: attacking can get file list and directory

Joachim Werner joe@iuveno-net.de
Mon, 24 Sep 2001 02:24:44 +0200


> Vulnerability: attacking can get file list and directory
> Tested on Win32 platform
>
> Example:
> telnet zopeserver 8080
> PROPFIND / HTTP/1.0
> <enter>
> <enter>
> <enter>
>
> < list files and directory >
>
> This tested on my site:
> security.instock.ru 8080

This one really seems to be the old "WebDAV is not safe" one. I guess it has
been tackled already. You should be able to switch the file listing off for
the Anonymous User in Zope 2.4.1 ...

Joachim