[Zope-dev] Vulnerability: attacking can get file list and directory

Leonardo Rochael Almeida leo@hiper.com.br
Mon, 24 Sep 2001 12:36:18 -0300


Shane Hathaway wrote:

> [...]
> PDV just yields information you might give out anyway.  But maybe we 
> could deal with it anyway by writing an "error.log" instead of sending 
> the traceback to the browser.  What do you think?


I think it's fine, but only if specified on the z2.py cmdline or other 
configuration equivalent (--paranoid or PARANOID="yes, please!" come to 
mind :-). But I guess that goes without saying.

Alternatively (or concurrently) we could reformat the traceback to 
report file names relative to Zope instalation directory (or to 
INSTANCE_HOME) instead of reporting the absolute filename. In this case 
the only leaked information is of the kind an attacker could easily 
obtain from downloading Zope source code, which, last time I looked, was 
available for all those damned script kiddies to download. Damn these 
opensource projects who keep posting their source code allowing 
Hackers(TM) to look at its vulnerabilities :-)

     Cheers, Leo