[Zope-dev] Vulnerability: attacking can get file list and directory
Leonardo Rochael Almeida
leo@hiper.com.br
Mon, 24 Sep 2001 12:36:18 -0300
Shane Hathaway wrote:
> [...]
> PDV just yields information you might give out anyway. But maybe we
> could deal with it anyway by writing an "error.log" instead of sending
> the traceback to the browser. What do you think?
I think it's fine, but only if specified on the z2.py cmdline or other
configuration equivalent (--paranoid or PARANOID="yes, please!" come to
mind :-). But I guess that goes without saying.
Alternatively (or concurrently) we could reformat the traceback to
report file names relative to Zope instalation directory (or to
INSTANCE_HOME) instead of reporting the absolute filename. In this case
the only leaked information is of the kind an attacker could easily
obtain from downloading Zope source code, which, last time I looked, was
available for all those damned script kiddies to download. Damn these
opensource projects who keep posting their source code allowing
Hackers(TM) to look at its vulnerabilities :-)
Cheers, Leo