[Zope] isecure XML-RPC handling.

Chris McDonough chrism@zope.com
Tue, 2 Apr 2002 15:18:40 -0500


You are running Zope in debug mode (with the -D switch in the "start" file).
This is the default.  Please try running Zope in non-debug mode (remove
the -D switch) and try this again.

----- Original Message -----
From: "Rossen Raykov" <raikovr@yahoo.com>
To: <zope-dev@zope.org>
Cc: <klm@zope.com>; <zope@zope.org>
Sent: Tuesday, April 02, 2002 2:33 PM
Subject: [Zope] isecure XML-RPC handling.


> Zope is not handling correct XML-RPC request.
>
> Even the example from http://www.zope.org/Members/Amos/XML-RPC is not
> working.
>
> Even worst if a request like this one in the quoted example is send to the
> web server it will report information about the local server installation
> and the internal network.
>
> Included are a request and response to www.zope.org.
>
> As one may see the server is installed in
> /usr/local/base/Zope-2.3.2-modified/
> and it rely on 10.0.11.3:1380 for request processing.
>
> All this may be useful debug information but it is not acceptable for a
> production server!
>
> I'm not familiar with Zope and I cannot say is it only a configuration
> problem or it is a problem in the code.
>
> I do not have time to investigate that but a similar result may be
achieved
> with the distribution offered for download.
>
> Please let me know if I have to send this bug information to some one
else.
>
> I would like to be informed and when this issue is resolved so I can
> announce it on Bug-Traq.
>
> Regards,
> Rossen Raykov
>
> <cut here>
> $ telnet www.zope.org 80
> Trying 63.102.49.33...
> Connected to www.zope.org.
> Escape character is '^]'.
> POST /Foo/Bar/MyFolder HTTP/1.0
> Content-Type: text/xml
> Content-length: 95
>
> <?xml version="1.0"?>
> <methodCall>
>  <methodName>objectIds</methodName>
>  <params/>
> </methodCall>
>
>
> HTTP/1.0 500 Internal Server Error
> Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2)
ZServer/1.1b1
> Date: Sat, 23 Mar 2002 03:09:14 GMT
> Bobo-Exception-File:
/var/tmp/python/python-root/usr/lib/python1.5/xmllib.py
> Content-Type: text/html
> Bobo-Exception-Type: RuntimeError
> Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
> Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"<HTML>
> <HEAD <TITLE>Welcometo Zope.org</TITLE  <link rel="stylesheet"
> href="http://10.0.11.3:1380/zope_css" type="text/css"   </HEAD  <BOD
> Content-Length: 6864
> Bobo-Exception-Line: 748
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
> "http://www.w3.org/TR/REC-html40/loose.dtd">
> <HTML>
>  <HEAD>
>  <TITLE>Welcome to Zope.org</TITLE>
>   <link rel="stylesheet" href="http://10.0.11.3:1380/zope_css"
> type="text/css">
>
>   </HEAD>
>
>
> <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#000066" VLINK="#606060"
> TOPMARGIN="0" LEFTMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
>  <BASEFONT FACE="Verdana, Arial, Helvetica, sans-serif" SIZE="2">
>
>    <TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" >
>    <TR>
>     <TD WIDTH="10" BGCOLOR="#6699cc" ALIGN=CENTER>&nbsp;</TD>
>     <TD COLSPAN="2" BGCOLOR="#6699CC" VALIGN="TOP" WIDTH="165"><A
> HREF="/"><IMGSRC="/Images/zopecom.gif" ALT="Zope" ALIGN="ABSMIDDLE"
> WIDTH="150" HEIGHT="63" BORDER="0"></A></TD>
>     <TD BGCOLOR="#6699CC" VALIGN="TOP" ALIGN="RIGHT" xWIDTH="99%"
> CLASS="welcome">
>      <p class="welcome">
>       <a class="globalmenu" href="http://www.zope.com">Business
Services</A>
>       | <A CLASS="globalmenu" HREF="/SiteIndex/searchForm">Search</A>
>       | <a CLASS="globalmenu" href="/Products">Download</a>
>       | <a CLASS="globalmenu" href="/Documentation">Documentation</a>
>       | <a CLASS="globalmenu" href="/Resources">Resources</a>
>       | <a class="globalmenu" href="http://dev.zope.org">Development</a>
>             <BR>
>
>
>       <FORM ACTION="/SiteIndex/search" METHOD="GET" name="search">
>       Search
>         <INPUT TYPE="text" NAME="text_content" SIZE="15">
>         &nbsp;
>         <INPUT TYPE="IMAGE" SRC="/Images/go.gif" ALT="Go Button!"
> ALIGN="ABSMIDDLE" BORDER="0" WIDTH="20" HEIGHT="20">
>     </FORM>
>      </p>
>     </TD>
>     <TD WIDTH="10" BGCOLOR="#6699CC" ALIGN="RIGHT" VALIGN="BOTTOM"><IMG
> SRC="/Images/blue-rounder1.gif" WIDTH="14" HEIGHT="20" BORDER="0"></TD>
>    </TR>
>
>    <TR>
>     <TD WIDTH="10" BGCOLOR="#6699cc">&nbsp;</td>
>
>
>     <TD WIDTH="150" BGCOLOR="#6699CC" VALIGN=TOP>
>            <H2 CLASS="lefttitle">&nbsp;Guest</H2>
>       <p class="sidemenu">
>        <A CLASS="sidemenu" HREF="/Register/register.html">Join
Zope.org</A>
>        <BR>
>        <A CLASS="sidemenu"
> HREF="/login.html?came_from=http://10.0.11.3:1380">Log in</A>
>           </p>
>
>
>
>      <HR NOSHADE SIZE="0.5" WIDTH="95%">
>
> <H2 CLASS="lefttitle">&nbsp;Zope Exits</H2>
>      <p class="sidemenu">
>   <A CLASS="sidemenu" HREF="http://dev.zope.org/">dev.zope.org</A><BR>
>   <A CLASS="sidemenu" HREF="http://cmf.zope.org/">CMF Dogbowl</A><BR>
>   <A CLASS="sidemenu" HREF="http://collector.zope.org/Zope">Zope
> Collector</A><BR>
>   <A CLASS="sidemenu" HREF="http://cvs.zope.org/">Zope CVS</A><BR>
>   <A CLASS="sidemenu" HREF="http://www.zopezen.org/">ZopeZen</A><BR>
>   <A CLASS="sidemenu" HREF="http://www.zopenewbies.net/">Zope
> Newbies</A><BR>
>   <a class="sidemenu" href="http://www.zopelabs.com/">Zope Labs</a><br />
>   <A CLASS="sidemenu" HREF="http://www.eurozope.org/">EuroZope</A><BR>
>   <A CLASS="sidemenu" HREF="http://www.zopera.org/">Zopera</A><BR>
>   <A CLASS="sidemenu" HREF="http://zdp.zope.org">ZDP</A><BR>
>   <A CLASS="sidemenu" HREF="http://www.freezope.org">FreeZope</A><BR>
>   <a CLASS="sidemenu" href="http://www.nipltd.net/Free">NIP Free Zope
> Hosting</a>
>
>      </p>
>      <HR NOSHADE SIZE="0.5" WIDTH="95%">
>
> <p><a href="http://www.amazon.com/exec/obidos/ASIN/0735711372/zopeorg-20">
> <img src="http://www.zope.org/Images/zopebook.png" alt="The Zope Book"
> height="140" width="109" border="0" /></a>
> </p>
>
>
> <p><a href="http://python.org/" alt="Python Powered!" ><img
> src="http://www.zope.org/Images/python.gif" border="0"></a></p>
>     </TD>
>     <TD COLSPAN="2" VALIGN=TOP>
>      <table cellpadding="10" cellspacing="0" border="0" width="100%">
>       <tr valign="top">
>        <td>
>
>
>
>
> <TABLE BORDER="0" WIDTH="100%">
> <TR>
>   <TD WIDTH="10%" ALIGN="CENTER">
>   <STRONG><FONT SIZE="+6" COLOR="#77003B">!</FONT></STRONG>
>   </TD>
>   <TD WIDTH="90%"><BR>
>   <FONT SIZE="+2">System Unavailable</FONT>
>   <P>This site is currently experiencing technical difficulties.
> Please contact the site administrator for more information.  For
> additional technical information, please refer to the HTML source for this
> page.  Thank you for your patience.</P>
>   </TD>
> </TR>
> </TABLE>
> <pre>
>  Error type:  RuntimeError
>  Error value: Syntax error at line 5: bogus `<'
> </pre>
> <p align="center">
> <form>
> <input type="button" value="More Information..."
> onClick='window.location = "view-source:" + window.location.href'>
> </form>
> </p>
>
>       </td>
>      </tr>
>     </table>
>
>
>    </TD>
>    <TD WIDTH="10" ALIGN=CENTER>&nbsp;</TD>
>   </TR>
>   <TR><TD WIDTH="10" BGCOLOR="#6699cc"ALIGN=CENTER>&nbsp;</TD>
>    <TD WIDTH="150" BGCOLOR="#6699CC" ALIGN=RIGHT VALIGN=BOTTOM><IMG
> SRC="/Images/blue-rounder2.gif" WIDTH="142" HEIGHT="20" BORDER="0"
> ALT=""></TD>
>    <TD COLSPAN="2" ALIGN=CENTER CLASS="plain"><HR NOSHADE SIZE="0"
> WIDTH="95%">
>     <a href="/privacy.html">Privacy policy</a>
> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
>
>        <A HREF="http://10.0.11.3:1380?pp=1">Printable Page</A>
> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
>
>            <A
> HREF="/Members//feedback_form?came_from=http://10.0.11.3:1380">Feedback to
> this page's author</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
>
>    <A
>
HREF="http://10.0.11.3:1380/feedback_site_form?whats_up=Welcome%20to%20Zope.
> org&origin_url=http://10.0.11.3:1380">Feedback about Zope.org</A>
>
>           &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<A
> HREF="http://10.0.11.3:1380/view_source">DTML Source</A>
>
>        </TD>
>    <TD WIDTH="10" ALIGN=CENTER>&nbsp;</TD>
>   </TR>
>   <TR>
>    <TD WIDTH="10">&nbsp;</TD>
>    <TD WIDTH="150">
>    <p style="font-size: 60%; color: #cfcfcf;">served by app2</p></TD>
>    <TD WIDTH="150">&nbsp;</TD>
>    <TD>&nbsp;</TD>
>    <TD WIDTH="10">&nbsp;</TD>
>   </TR>
>  </TABLE>
>
>
>  <P CLASS="copyright">&copy; 2002
> <a href="http://www.zope.com/">Zope Corporation</aAll rights reserved.</P>
>
> </BODY>
> </HTML>
>
> <!--
> Traceback (innermost last):
>   File
/usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py,
> line 223, in publish_module
>   File
/usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py,
> line 187, in publish
>   File /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py,
line
> 221, in zpublisher_exception_hook
>    (Object: ApplicationDefaultPermissions)
>   File
/usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py,
> line 136, in publish
>   File
> /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/HTTPRequest.py,
> line 414, in processInputs
>   File
/usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/xmlrpc.py,
> line 120, in parse_input
>   File /usr/local/base/Zope-2.3.2-modified/lib/python/xmlrpclib.py, line
> 531, in loads
>   File /var/tmp/python/python-root/usr/lib/python1.5/xmllib.py, line 153,
in
> close
>   File /var/tmp/python/python-root/usr/lib/python1.5/xmllib.py, line 365,
in
> goahead
>   File /var/tmp/python/python-root/usr/lib/python1.5/xmllib.py, line 748,
in
> syntax_error
> RuntimeError: (see above)
>
> -->
> Connection closed by foreign host.
>
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>