[Zope-dev] possible compromise

Paul Winkler pw_lists at slinkp.com
Tue Oct 14 17:02:04 EDT 2003


On Tue, Oct 14, 2003 at 04:18:17PM -0400, Tres Seaver wrote:
> On Tue, 2003-10-14 at 16:08, Chris Pelton wrote:
> > Yes, that's what I'm thinking happened here, but I need to verify that 
> > was the case.  Are there any logs in zope that could help track this 
> > down, or a known configuration that would allow it to happen? Also, for 
> > future reference, can we disable this? Any ideas how someone might be 
> > able to tell Zope is running?
> 
> I believe that the scenario Robert is describing does not actually
> involve Zope at all;  rather, (in this scenario) Apache is willing to
> forward arbitrary traffic, via the 'CONNECT' verb.  Check your Apache
> access logs for the HTTP verb, 'CONNECT'.  Squid's default configs have
> specific settings to allow CONNECT only for HTTPS;  I'm guessing that
> your Apache config might need to be tweaked likewise.

Yup, I don't think zope even *can* do something like that.
I was guessing that the exploit was at the application level - 
somebody found a MailHost with wide-open permissions
and abused it with a client script. 

-- 

Paul Winkler
http://www.slinkp.com
Look! Up in the sky! It's THE INTOXICATED GIRL!
(random hero from isometric.spaceninja.com)



More information about the Zope-Dev mailing list