[Zope] IIS and Zope share same problem :-S

Ragnar Beer rbeer@uni-goettingen.de
Fri, 20 Oct 2000 14:14:04 +0200


As I already suggested ages ;) ago (and still didn't put into 
practice) it would here again be best to deny everything that isn't 
explicitly allowed (e.g. allow whatever ends with _html or .html and 
deny everything else) but then I would have to go over the whole 
website and make bazillions of changes ...

I fixed the problem temporarily by adding some 
"FilesMatch/LocationMatch + deny from all" in my httpd.conf. But what 
else do I have to deny apart from objectIds?

Ragnar

>Andrew Kenneth Milton wrote:
>>
>>  |
>>  | http://www.zope.org/standard_html_header for example ;-)
>>
>>  Not that old chestnut again...
>
>Yes, that old chestnut again. If it's considered a serious security flaw
>by Microsoft, maybe the Zope community should finally do something to
>solve it.
>
>...and yes, there are discussions about this on Zope-dev right now,
>which will hopefully produce a solution :-)
>
>cheers,
>
>Chris
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )