[ZWeb] Returned mail: see transcript for details
Mail Delivery Subsystem
MAILER-DAEMON@smtp.zope.com
Sat, 5 Apr 2003 08:23:38 -0500
This is a MIME-encapsulated message
--h35DNbkk024245.1049549018/smtp.zope.com
The original message was received at Sat, 5 Apr 2003 08:23:21 -0500
from mail.python.org [12.155.117.29]
----- The following addresses had permanent fatal errors -----
paul@mail.zope.com
(reason: 550 paul@mail.zope.com unknown user account)
(expanded from: <paul@zope.com>)
----- Transcript of session follows -----
... while talking to mail.zope.com.:
>>> DATA
<<< 550 paul@mail.zope.com unknown user account
550 5.1.1 paul@mail.zope.com... User unknown
--h35DNbkk024245.1049549018/smtp.zope.com
Content-Type: message/delivery-status
Reporting-MTA: dns; smtp.zope.com
Arrival-Date: Sat, 5 Apr 2003 08:23:21 -0500
Final-Recipient: RFC822; paul@zope.com
X-Actual-Recipient: RFC822; paul@mail.zope.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mail.zope.com
Diagnostic-Code: SMTP; 550 paul@mail.zope.com unknown user account
Last-Attempt-Date: Sat, 5 Apr 2003 08:23:37 -0500
--h35DNbkk024245.1049549018/smtp.zope.com
Content-Type: message/rfc822
Return-Path: <zope-web@zope.org>
Received: from mail.python.org (mail.python.org [12.155.117.29])
by smtp.zope.com (8.12.5/8.12.5) with ESMTP id h35DNLOi024239
for <paul@zope.com>; Sat, 5 Apr 2003 08:23:21 -0500
Received: from [12.155.117.30] (helo=cvs.baymountain.com)
by mail.python.org with esmtp (Exim 4.05)
id 191mso-0007nA-00; Sat, 05 Apr 2003 07:34:54 -0500
From: "Collector: NEW Zope.org (the ..." <zope-web@zope.org>
To: efge <fg@nuxeo.com>, paul <paul@zope.com>, beacon <seb@jamkit.com>,
sidnei <sidnei@x3ng.com.br>
Subject: [ZOC] 68/ 1 Request "WebDAV allows complete listings of the site"
X-Recipients-debug: ['efge', 'efge', 'paul', 'lennart', 'beacon', 'sidnei']
Message-Id: <E191mso-0007nA-00@mail.python.org>
Date: Sat, 05 Apr 2003 07:34:54 -0500
X-Spam-Status: No, hits=-1.7 required=5.0 tests=BODY_PYTHON_ZOPE,SPAM_PHRASE_00_01
X-Spam-Level:
X-MailScanner: Found to be clean
Issue #68 Update (Request) "WebDAV allows complete listings of the site"
** Security Related ** (Confidential)
Status Pending_confidential, content/bug critical
To followup, visit:
http://collector.zope.org/ZopeOrg/68
==============================================================
= Request - Entry #1 by efge on Apr 5, 2003 7:34 am
Uploaded: "zope-propfind.txt"
- http://collector.zope.org/ZopeOrg/68/zope-propfind.txt/view
Using Nautilus from Gnome 2.2, if you go to http://zope.org without any authentication, you still
get a full listing of the site objects.
Nautilus does a PROPFIND, controlled by "WebDAV access", and it appears that this is allowed for Anonymous on
zope.org. I suggest removing the "WebDAV access" permission from Anonymous.
I'm attaching a dump of the tcp conversation.
==============================================================
--h35DNbkk024245.1049549018/smtp.zope.com--