[Zope] ZHTTP Server allows server name
Oleg Broytmann
Oleg Broytmann <phd@mail2.phd.pp.ru>
Sun, 11 Mar 2001 15:25:01 +0300 (MSK)
Hello!
Our system/network admins scanned our local network and found on my
computer strange proxy :)
> telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET http://www.zope.org/ HTTP/1.0
Host: localhost
Then Zope returned root page of localhost, not www.zope.org, so it is
not security hole, but anyway I think ZServer should not accept server name
in he request. Instead an error (perhaps HTTP error 400) should be
returned.
Should I report this to Collector?
Oleg.
----
Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru
Programmers don't die, they just GOSUB without RETURN.