[Zope-dev] Vulnerability: attacking can get file list and directory

Jim Penny jpenny@universal-fasteners.com
Mon, 24 Sep 2001 11:37:39 -0400


On Mon, Sep 24, 2001 at 10:59:11AM -0400, Shane Hathaway wrote:
> Oliver Bleutgen wrote:
> 
> >From a non-technical, PR-wise point of view let me add that
> >this type of "vulnerability" easily gets zope mentioned on lists
> >like bugtraq. The perception is that these thing really are 
> >vulnerabilities.
> 
> 
> You're right, a quick search on google for "path disclosure 
> vulnerability" yields a lot of hits for lots of applications.
> 
> It troubles me that people consider PDV to be important at all when the 
> client-side trojan bug is still fully exploitable on all browsers 
> including IE and Mozilla! (AFAIK)  Client-side trojans, which can cause 
> your browser to invisibly post a comment on a weblog, execute a 
> financial transaction, or break into servers you maintain, are a major risk.
> 
> PDV just yields information you might give out anyway.  But maybe we 
> could deal with it anyway by writing an "error.log" instead of sending 
> the traceback to the browser.  What do you think?

Yes, the error log approach is far preferable.

But, it would be nice if the browser got a message something like:

An error has occurred :
  (stuff above traceback information is printed).
Refer your administrator to the error log key XXXXXXXXXXXX

and then prepend each line of the error log for this item with
XXXXXXXXXXXX.  Then a simple grep would be enough to find the 
particular error in question.

[And it might be really nice if errors were emailed to an
administrator, as well as logged.  If this is done, it would probably
be desirable to have some sort of per folder property in which the
proper contact(s) could be listed.]

Jim Penny

> 
> Shane
> 
> 
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope )
>