[Zope-dev] Vulnerability: attacking can get file list and directory
Shane Hathaway
shane@zope.com
Mon, 24 Sep 2001 10:59:11 -0400
Oliver Bleutgen wrote:
> From a non-technical, PR-wise point of view let me add that
> this type of "vulnerability" easily gets zope mentioned on lists
> like bugtraq. The perception is that these thing really are
> vulnerabilities.
You're right, a quick search on google for "path disclosure
vulnerability" yields a lot of hits for lots of applications.
It troubles me that people consider PDV to be important at all when the
client-side trojan bug is still fully exploitable on all browsers
including IE and Mozilla! (AFAIK) Client-side trojans, which can cause
your browser to invisibly post a comment on a weblog, execute a
financial transaction, or break into servers you maintain, are a major risk.
PDV just yields information you might give out anyway. But maybe we
could deal with it anyway by writing an "error.log" instead of sending
the traceback to the browser. What do you think?
Shane