[Zope-dev] information disclosure vulnerability

Jerome Alet alet@librelogiciel.com
Tue, 3 Dec 2002 09:24:53 +0100


Hi,

probably the HelpSys object shouldn't be available by default
to non-authenticated users, because it gives too much information 
on the currently installed products.

access any Zope site this way :

        http://your.zope.site/HelpSys
        
and you'll learn what products are available on the server.

This can't lead to a direct compromise, but this gives way
too much information to anonymous users IMHO.

Tested today on several low and very high profile sites.

bye,

Jerome Alet