[Zope] isecure XML-RPC handling.

Rossen Raykov raikovr@yahoo.com
Tue, 2 Apr 2002 14:33:41 -0500


Zope is not handling correct XML-RPC request.

Even the example from http://www.zope.org/Members/Amos/XML-RPC is not
working.

Even worst if a request like this one in the quoted example is send to the
web server it will report information about the local server installation
and the internal network.

Included are a request and response to www.zope.org.

As one may see the server is installed in
/usr/local/base/Zope-2.3.2-modified/
and it rely on 10.0.11.3:1380 for request processing.

All this may be useful debug information but it is not acceptable for a
production server!

I'm not familiar with Zope and I cannot say is it only a configuration
problem or it is a problem in the code.

I do not have time to investigate that but a similar result may be achieved
with the distribution offered for download.

Please let me know if I have to send this bug information to some one else.

I would like to be informed and when this issue is resolved so I can
announce it on Bug-Traq.

Regards,
Rossen Raykov

<cut here>
$ telnet www.zope.org 80
Trying 63.102.49.33...
Connected to www.zope.org.
Escape character is '^]'.
POST /Foo/Bar/MyFolder HTTP/1.0
Content-Type: text/xml
Content-length: 95

<?xml version="1.0"?>
<methodCall>
 <methodName>objectIds</methodName>
 <params/>
</methodCall>


HTTP/1.0 500 Internal Server Error
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Sat, 23 Mar 2002 03:09:14 GMT
Bobo-Exception-File: /var/tmp/python/python-root/usr/lib/python1.5/xmllib.py
Content-Type: text/html
Bobo-Exception-Type: RuntimeError
Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"<HTML>
<HEAD <TITLE>Welcometo Zope.org</TITLE  <link rel="stylesheet"
href="http://10.0.11.3:1380/zope_css" type="text/css"   </HEAD  <BOD
Content-Length: 6864
Bobo-Exception-Line: 748

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
 <HEAD>
 <TITLE>Welcome to Zope.org</TITLE>
  <link rel="stylesheet" href="http://10.0.11.3:1380/zope_css"
type="text/css">

  </HEAD>


<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#000066" VLINK="#606060"
TOPMARGIN="0" LEFTMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
 <BASEFONT FACE="Verdana, Arial, Helvetica, sans-serif" SIZE="2">

   <TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" >
   <TR>
    <TD WIDTH="10" BGCOLOR="#6699cc" ALIGN=CENTER>&nbsp;</TD>
    <TD COLSPAN="2" BGCOLOR="#6699CC" VALIGN="TOP" WIDTH="165"><A
HREF="/"><IMGSRC="/Images/zopecom.gif" ALT="Zope" ALIGN="ABSMIDDLE"
WIDTH="150" HEIGHT="63" BORDER="0"></A></TD>
    <TD BGCOLOR="#6699CC" VALIGN="TOP" ALIGN="RIGHT" xWIDTH="99%"
CLASS="welcome">
     <p class="welcome">
      <a class="globalmenu" href="http://www.zope.com">Business Services</A>
      | <A CLASS="globalmenu" HREF="/SiteIndex/searchForm">Search</A>
      | <a CLASS="globalmenu" href="/Products">Download</a>
      | <a CLASS="globalmenu" href="/Documentation">Documentation</a>
      | <a CLASS="globalmenu" href="/Resources">Resources</a>
      | <a class="globalmenu" href="http://dev.zope.org">Development</a>
            <BR>


      <FORM ACTION="/SiteIndex/search" METHOD="GET" name="search">
      Search
        <INPUT TYPE="text" NAME="text_content" SIZE="15">
        &nbsp;
        <INPUT TYPE="IMAGE" SRC="/Images/go.gif" ALT="Go Button!"
ALIGN="ABSMIDDLE" BORDER="0" WIDTH="20" HEIGHT="20">
    </FORM>
     </p>
    </TD>
    <TD WIDTH="10" BGCOLOR="#6699CC" ALIGN="RIGHT" VALIGN="BOTTOM"><IMG
SRC="/Images/blue-rounder1.gif" WIDTH="14" HEIGHT="20" BORDER="0"></TD>
   </TR>

   <TR>
    <TD WIDTH="10" BGCOLOR="#6699cc">&nbsp;</td>


    <TD WIDTH="150" BGCOLOR="#6699CC" VALIGN=TOP>
           <H2 CLASS="lefttitle">&nbsp;Guest</H2>
      <p class="sidemenu">
       <A CLASS="sidemenu" HREF="/Register/register.html">Join Zope.org</A>
       <BR>
       <A CLASS="sidemenu"
HREF="/login.html?came_from=http://10.0.11.3:1380">Log in</A>
          </p>



     <HR NOSHADE SIZE="0.5" WIDTH="95%">

<H2 CLASS="lefttitle">&nbsp;Zope Exits</H2>
     <p class="sidemenu">
  <A CLASS="sidemenu" HREF="http://dev.zope.org/">dev.zope.org</A><BR>
  <A CLASS="sidemenu" HREF="http://cmf.zope.org/">CMF Dogbowl</A><BR>
  <A CLASS="sidemenu" HREF="http://collector.zope.org/Zope">Zope
Collector</A><BR>
  <A CLASS="sidemenu" HREF="http://cvs.zope.org/">Zope CVS</A><BR>
  <A CLASS="sidemenu" HREF="http://www.zopezen.org/">ZopeZen</A><BR>
  <A CLASS="sidemenu" HREF="http://www.zopenewbies.net/">Zope
Newbies</A><BR>
  <a class="sidemenu" href="http://www.zopelabs.com/">Zope Labs</a><br />
  <A CLASS="sidemenu" HREF="http://www.eurozope.org/">EuroZope</A><BR>
  <A CLASS="sidemenu" HREF="http://www.zopera.org/">Zopera</A><BR>
  <A CLASS="sidemenu" HREF="http://zdp.zope.org">ZDP</A><BR>
  <A CLASS="sidemenu" HREF="http://www.freezope.org">FreeZope</A><BR>
  <a CLASS="sidemenu" href="http://www.nipltd.net/Free">NIP Free Zope
Hosting</a>

     </p>
     <HR NOSHADE SIZE="0.5" WIDTH="95%">

<p><a href="http://www.amazon.com/exec/obidos/ASIN/0735711372/zopeorg-20">
<img src="http://www.zope.org/Images/zopebook.png" alt="The Zope Book"
height="140" width="109" border="0" /></a>
</p>


<p><a href="http://python.org/" alt="Python Powered!" ><img
src="http://www.zope.org/Images/python.gif" border="0"></a></p>
    </TD>
    <TD COLSPAN="2" VALIGN=TOP>
     <table cellpadding="10" cellspacing="0" border="0" width="100%">
      <tr valign="top">
       <td>




<TABLE BORDER="0" WIDTH="100%">
<TR>
  <TD WIDTH="10%" ALIGN="CENTER">
  <STRONG><FONT SIZE="+6" COLOR="#77003B">!</FONT></STRONG>
  </TD>
  <TD WIDTH="90%"><BR>
  <FONT SIZE="+2">System Unavailable</FONT>
  <P>This site is currently experiencing technical difficulties.
Please contact the site administrator for more information.  For
additional technical information, please refer to the HTML source for this
page.  Thank you for your patience.</P>
  </TD>
</TR>
</TABLE>
<pre>
 Error type:  RuntimeError
 Error value: Syntax error at line 5: bogus `<'
</pre>
<p align="center">
<form>
<input type="button" value="More Information..."
onClick='window.location = "view-source:" + window.location.href'>
</form>
</p>

      </td>
     </tr>
    </table>


   </TD>
   <TD WIDTH="10" ALIGN=CENTER>&nbsp;</TD>
  </TR>
  <TR><TD WIDTH="10" BGCOLOR="#6699cc"ALIGN=CENTER>&nbsp;</TD>
   <TD WIDTH="150" BGCOLOR="#6699CC" ALIGN=RIGHT VALIGN=BOTTOM><IMG
SRC="/Images/blue-rounder2.gif" WIDTH="142" HEIGHT="20" BORDER="0"
ALT=""></TD>
   <TD COLSPAN="2" ALIGN=CENTER CLASS="plain"><HR NOSHADE SIZE="0"
WIDTH="95%">
    <a href="/privacy.html">Privacy policy</a>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

       <A HREF="http://10.0.11.3:1380?pp=1">Printable Page</A>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

           <A
HREF="/Members//feedback_form?came_from=http://10.0.11.3:1380">Feedback to
this page's author</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

   <A
HREF="http://10.0.11.3:1380/feedback_site_form?whats_up=Welcome%20to%20Zope.
org&origin_url=http://10.0.11.3:1380">Feedback about Zope.org</A>

          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<A
HREF="http://10.0.11.3:1380/view_source">DTML Source</A>

       </TD>
   <TD WIDTH="10" ALIGN=CENTER>&nbsp;</TD>
  </TR>
  <TR>
   <TD WIDTH="10">&nbsp;</TD>
   <TD WIDTH="150">
   <p style="font-size: 60%; color: #cfcfcf;">served by app2</p></TD>
   <TD WIDTH="150">&nbsp;</TD>
   <TD>&nbsp;</TD>
   <TD WIDTH="10">&nbsp;</TD>
  </TR>
 </TABLE>


 <P CLASS="copyright">&copy; 2002
<a href="http://www.zope.com/">Zope Corporation</aAll rights reserved.</P>

</BODY>
</HTML>

<!--
Traceback (innermost last):
  File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py,
line 223, in publish_module
  File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py,
line 187, in publish
  File /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line
221, in zpublisher_exception_hook
   (Object: ApplicationDefaultPermissions)
  File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py,
line 136, in publish
  File
/usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/HTTPRequest.py,
line 414, in processInputs
  File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/xmlrpc.py,
line 120, in parse_input
  File /usr/local/base/Zope-2.3.2-modified/lib/python/xmlrpclib.py, line
531, in loads
  File /var/tmp/python/python-root/usr/lib/python1.5/xmllib.py, line 153, in
close
  File /var/tmp/python/python-root/usr/lib/python1.5/xmllib.py, line 365, in
goahead
  File /var/tmp/python/python-root/usr/lib/python1.5/xmllib.py, line 748, in
syntax_error
RuntimeError: (see above)

-->
Connection closed by foreign host.



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com