[Zope] IIS and Zope share same problem :-S
Ragnar Beer
rbeer@uni-goettingen.de
Fri, 20 Oct 2000 14:14:04 +0200
As I already suggested ages ;) ago (and still didn't put into
practice) it would here again be best to deny everything that isn't
explicitly allowed (e.g. allow whatever ends with _html or .html and
deny everything else) but then I would have to go over the whole
website and make bazillions of changes ...
I fixed the problem temporarily by adding some
"FilesMatch/LocationMatch + deny from all" in my httpd.conf. But what
else do I have to deny apart from objectIds?
Ragnar
>Andrew Kenneth Milton wrote:
>>
>> |
>> | http://www.zope.org/standard_html_header for example ;-)
>>
>> Not that old chestnut again...
>
>Yes, that old chestnut again. If it's considered a serious security flaw
>by Microsoft, maybe the Zope community should finally do something to
>solve it.
>
>...and yes, there are discussions about this on Zope-dev right now,
>which will hopefully produce a solution :-)
>
>cheers,
>
>Chris
>
>_______________________________________________
>Zope maillist - Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>** No cross posts or HTML encoding! **
>(Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )