[Zope-dev] Re: information disclosure vulnerability
Maik Jablonski
maik.jablonski@uni-bielefeld.de
Tue, 03 Dec 2002 12:01:50 +0100
Jerome Alet wrote:
> probably the HelpSys object shouldn't be available by default
> to non-authenticated users, because it gives too much information
> on the currently installed products.
>
> access any Zope site this way :
>
> http://your.zope.site/HelpSys
>
> and you'll learn what products are available on the server.
Another way to gather this data would be:
http://YourServer/Control_Panel/Products/ExternalEditor
gives Anoynmous the ZopeStartPage if ExternalEditor is installed and a
SiteError if not.
-mj