[Zope] Help: mod_proxy exploit on apache + zope

Jean-Francois.Doyon@CCRS.NRCan.gc.ca Jean-Francois.Doyon@CCRS.NRCan.gc.ca
Thu, 13 Mar 2003 18:08:03 -0500


Wayne,

Heh, I feel for you! I've had a server hacked in the past :)

Yes, you can close down your mod_proxy by simply using:

        <LocationMatch "^[^/]">
                Deny from all 
        </LocationMatch>

I actually got that off of the Zope website. It refuses requests that don't
start with "/" ...

This way only requests that are local are accepted, I even tested it and it
worked fine, you get a nice Apache access denied error if you try to
transparently use the proxy.

Hope this helps!
J.F.

-----Original Message-----
From: Wayne Connolly [mailto:wayne_connolly@yahoo.com]
Sent: Thursday, March 13, 2003 6:01 PM
To: zope@zope.org
Subject: [Zope] Help: mod_proxy exploit on apache + zope


All,

My server was used for hacking other servers by some
morons. mod_proxy was set wide open - we were getting
used as a relay for attacks on all sorts of servers.
For the sake of people getting attacked, I've had to
set it to Deny from all. 
 
This seems to have broken my zope sites, however.

I have a machine with virtual hosts with freebsd,
apache2, and zope. Im using rewrite rules to make zope
work. Both mod proxy and mod rewrite are enabled.

Does anyone know of a fix?

We need to only allow certain interactions with zope
to take place(localhost) and that is from zope
domains.

I heard about the use of
http://httpd.apache.org/docs-2.0/mod/mod_cgid.html
with zope and apache2... can anyone help? If they can
ill write up a full how-to on it as it is of a high
importance for zope hosters i think...

Panicing,

Wayne.
wayne@c-media.com.au

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com

_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )