[Zope-dev] Vulnerability: attacking can get file list and dir ectory

sean.upton@uniontrib.com sean.upton@uniontrib.com
Mon, 24 Sep 2001 10:00:41 -0700


On a high-traffic site, wouldn't the log get really big, really quickly with
tracebacks?  It is also nice to have the tracebacks in the browser window
for debugging... 

Why not just enable tracebacks to clients from trusted IP address ranges or
domains...  Set this up as an option in Z2.py?

Anyway, that's my 3-mile high take on it... 
Sean

-----Original Message-----
From: Shane Hathaway [mailto:shane@zope.com]
Sent: Monday, September 24, 2001 7:59 AM
To: Oliver Bleutgen
Cc: zope-dev@zope.org
Subject: Re: [Zope-dev] Vulnerability: attacking can get file list and
directory


Oliver Bleutgen wrote:

> From a non-technical, PR-wise point of view let me add that
> this type of "vulnerability" easily gets zope mentioned on lists
> like bugtraq. The perception is that these thing really are 
> vulnerabilities.


You're right, a quick search on google for "path disclosure 
vulnerability" yields a lot of hits for lots of applications.

It troubles me that people consider PDV to be important at all when the 
client-side trojan bug is still fully exploitable on all browsers 
including IE and Mozilla! (AFAIK)  Client-side trojans, which can cause 
your browser to invisibly post a comment on a weblog, execute a 
financial transaction, or break into servers you maintain, are a major risk.

PDV just yields information you might give out anyway.  But maybe we 
could deal with it anyway by writing an "error.log" instead of sending 
the traceback to the browser.  What do you think?

Shane



_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )