[Zope] VirtualHostMonster: access to all content in instance

Jonas Meurer jonas at freesources.org
Fri Jul 4 09:03:29 EDT 2008


Hello,

We just discovered that when using VirtualHostMonster in apache
RewriteRules, it is possible to access every content in the zope
instance. If the URL points to a subfolder, just like
http://localhost:9080/VirtualHostBase/http/www.name.com:80/subfolder/VirtualHostRoot/$1
then it's still possible to access content below that subfolder on the
instance. If $1 is some foldername that doesn't exist in the subfolder
bug instead in the root folder of the instance, it's content is returned.

An example to make it explicit:

Let's assume we have three directories in the root folder of the
instance: /project1, /project2 and /project3.

The VirtualHostMonster is used to access project2 directly via
www.project2.com:
RewriteRule ^/(.*) http://localhost:9080/VirtualHostBase/http/www.project2.com:80/project2/VirtualHostRoot/$1 [P]

But both project1 and project3 are also accessible through project2.com
over the URLs "http://www.project2.com/project1" and
"http://www.project3.com/project3".

Is this a known issue? I consider that as a quite serious bug, as both
project1 and project3 might be private and should not be published over
the globally available apache rewriterule.

We do use zope2.10.5 on a debian/etch system.

greetings,
 jonas


More information about the Zope mailing list