[Zope-dev] Re: [Zope] isecure XML-RPC handling.

Rossen Raykov raikovr@yahoo.com
Wed, 3 Apr 2002 22:24:17 -0500


Hi all,

My point was that Zope is revealing internal information that is believed to
be private and invisible for the Internet users.
It happens in its default (debug) installation and even after -D option is
removed from the startup script.
I try some XML-RPC requests against www.zope.org (2.3.2) and against the
default 2.5.0 installation for Windows (with and without -D option).
In both cases Zope was reviling the physical location of the distribution.
In the case of www.zope.org it was reviling even information about it's
internal network (this may be also possible in 2.5.0 but I do not have the
time to create complicated enough configuration).

In general Zope have not to reveal any physical information neither about
it's  installation nor about the internal network behind it.
If you need to print traces - use relative paths to the server root.
If the debug option is omitted - just print the error and do not print any
stack dumps at all!

People have to be aware that the default installation is in debug mode and
the results of that.
I believe many people will be surprised to learn that they are exposing
information about their private networks and server setups.

Finally two clarifications:
1. Zope 2.3.2 do support XML-RPC. Try example one against www.zope.org it
will work just fine!
2. Zope Zope 2.5.0 in it's default installation (debug mode) still is
revealing information about the physical location of the installed server.
See the dump in example two. It is produced as  a result of the XML-RPC
example from my first e-mail.

Regards,
Rossen

------------ Example one ---------------
POST /Foo/Bar/MyFolder HTTP/1.0
Content-Type: text/xml
Content-length: 110

<?xml version='1.0'?>
<methodCall>
<methodName>title_or_id</methodName>
<params>
</params>
</methodCall>

------------ Example two ---------------
...
Bobo-Exception-File: C:\PROGRA~1\WebSite\bin\lib\xmllib.py
...
Traceback (innermost last):
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 150, in
publish_module
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 114, in
publish
  File C:\PROGRA~1\WebSite\lib\python\Zope\__init__.py, line 158, in
zpublisher_exception_hook
    (Object: Zope)
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 63, in
publish
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\HTTPRequest.py, line 357,
in processInputs
  File C:\PROGRA~1\WebSite\lib\python\ZPublisher\xmlrpc.py, line 47, in
parse_input
  File C:\PROGRA~1\WebSite\lib\python\xmlrpclib.py, line 531, in loads
  File C:\PROGRA~1\WebSite\bin\lib\xmllib.py, line 172, in close
  File C:\PROGRA~1\WebSite\bin\lib\xmllib.py, line 405, in goahead
  File C:\PROGRA~1\WebSite\bin\lib\xmllib.py, line 794, in syntax_error
Error: (see above)

----- Original Message -----
From: "Brian Lloyd" <brian@zope.com>
To: "R. David Murray" <bitz@bitdance.com>; <zope-dev@zope.org>
Cc: "Rossen Raykov" <raikovr@yahoo.com>
Sent: Wednesday, April 03, 2002 12:20 PM
Subject: RE: [Zope-dev] Re: [Zope] isecure XML-RPC handling.


> > I think most people missed the point here.  I don't think Rossen
> > is asking for help on running zope or getting xml-rpc to work with
> > it.  He's observed a "security" problem: he believes the fact that
> > a traceback including path names is included in the error response
> > is a security exposure.  This has been discussed on zope-dev before,
> > but the fact remains that the security community *does* treat
> > exposure of filesystem path information as a security issue.
>
> Right. There is already code for Zope 2.6 and Zope 3 that
> addresses this. Shane's new traceback formatting makes the
> trace information far more readable in addition to removing
> filesystem path information.
>
>
> Brian Lloyd        brian@zope.com
> V.P. Engineering   540.361.1716
> Zope Corporation   http://www.zope.com
>


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com