[Zope] Fw: Zope insecure handling on XML-RPC will reveal information about the server's physical paths.

Rossen Raykov raikovr@yahoo.com
Thu, 18 Apr 2002 22:55:23 -0400


----- Original Message -----
From: "Rossen Raykov" <raikovr@yahoo.com>
To: <webmaster@zope.org>; <webmaster@zope.com>
Cc: <sacure@zope.org>; <secure@zope.com>
Sent: Thursday, April 18, 2002 10:41 PM
Subject: Zope insecure handling on XML-RPC will reveal information about the
server's physical paths.


> A request like the quoted below will cause Zope to reveal information
about
> physical paths on the server and about the local servers on which it is
> relaying (the last one may be miss configuration, sorry I'm not so
familiar
> with the platform).
>
>
>
> As fare, as I know this problem is present on all currently released Zope
> versions including 2.5.0.
>
> Running the server without -D option wouldn't help.
>
>
>
> The last version from CVS seems to handle this correct.
>
> Thanks to Chris Withers and Shane Hathaway I was able to test in on the
> build from 15/04/02 and it worked just fine.
>
>
>
> I'm interested to know if there is any other way to fix that bug.
>
>
>
> BW when the next release will be available?
>
>
>
> Regards,
>
> Rossen
>
>
>
>
> -------- CUT HERE ---------
>
> POST /Foo/Bar/MyFolder HTTP/1.0
> Content-Type: text/xml
> Content-length: 95
>
> <?xml version="1.0"?>
> <methodCall>
>  <methodName>objectIds</methodName>
>  <params/>
> </methodCall>
>
>
>
>


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com