[Zope-dev] Re: [Zope] isecure XML-RPC handling.
Oliver Bleutgen
myzope@gmx.net
Wed, 03 Apr 2002 17:19:48 +0200
R. David Murray wrote:
> On Tue, 2 Apr 2002, Eron Lloyd wrote:
>
>>The problem here seems to be that you are trying to do XML-RPC communication
>>with a version of Zope that doesn't support XML-RPC out of the box. You
>>
>
> I think most people missed the point here. I don't think Rossen
> is asking for help on running zope or getting xml-rpc to work with
> it. He's observed a "security" problem: he believes the fact that
> a traceback including path names is included in the error response
> is a security exposure. This has been discussed on zope-dev before,
> but the fact remains that the security community *does* treat
> exposure of filesystem path information as a security issue.
>
> I believe the addition of the variable to control what happens with
> tracebacks addresses this issue from a security standpoint, which
> is probably all that Rossen cares about with regards to letting
> bugtraq know that "the security bug has been fixed".
Just to add some weight to this point, let's search google:
http://www.google.com/search?q=%22path+disclosure+vulnerability%22
I don't care too much about this bug (let's call it a bug), but it
indeed has enough weight to get zope quite a bad reputation in the
security community. Oh, and each and every instance of these
"vulnerabilities" got patched by the vendors, so they seem to take it
seriously also.
cheers,
oliver