[Zope-dev] Vulnerability in Zope

Michael R. Bernstein webmaven@lvcm.com
25 Sep 2001 16:15:26 -0700


On Sun, 2001-09-23 at 17:00, Andy McKay wrote:
>
> [snip]
> Haven't we been complaining about this automatic appending of
tracebacks for
> a while? To me this is what log files are for.... but Im not sure what this
> guy is on. I wouldnt count this as a "security vulnerability".

Hmm. It's 'side-band' information. Assuming that a cracker could get
arbitrary code to run on the server through some other vulnerability
(say a buffer overflow in some daemon), this information could be
exploited to make their attack on the Zope installation more targeted.

All this is assuming that the cracker in question is very clever, and
has something in mind that is more subtle that simply shutting the
server down, because if they can get arbitrary code to run on the
server, it's toast anyway.

An example of a subtle attack would be re-writing an e-commerce product
so that any credit-card information would get silently copied and
forwarded elsewhere.

In short, the principle here is that *given* that some other
vulnerability could give a cracker access to the server in some way, you
still don't want to give them any more information on the server
configuration than you have to.

Michael Bernstein.