[Zope-dev] Re: information disclosure vulnerability
Jamie Heilman
jamie@audible.transient.net
Tue, 3 Dec 2002 09:12:38 -0800
> http://YourServer/Control_Panel/Products/ExternalEditor
>
> gives Anoynmous the ZopeStartPage if ExternalEditor is installed and a
> SiteError if not.
I believe this particular item can be worked around to a degree.
In the index_html in the root folder I simply put:
<dtml-raise NotFound>index_html</dtml-raise>
This helps hide the fact that certain objects are present, but it
doesn't protect from the HelpSys or other kinds of acquisition
treachery. Ofcourse I can get away with this because I didn't need my
root index_html for content... if you have your site set up
differently you may have to wrap that with some URI checks first.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
I liked you better when you weren't saying squat kid." -Buddy