[Zope-dev] possible compromise
Paul Winkler
pw_lists at slinkp.com
Tue Oct 14 17:02:04 EDT 2003
On Tue, Oct 14, 2003 at 04:18:17PM -0400, Tres Seaver wrote:
> On Tue, 2003-10-14 at 16:08, Chris Pelton wrote:
> > Yes, that's what I'm thinking happened here, but I need to verify that
> > was the case. Are there any logs in zope that could help track this
> > down, or a known configuration that would allow it to happen? Also, for
> > future reference, can we disable this? Any ideas how someone might be
> > able to tell Zope is running?
>
> I believe that the scenario Robert is describing does not actually
> involve Zope at all; rather, (in this scenario) Apache is willing to
> forward arbitrary traffic, via the 'CONNECT' verb. Check your Apache
> access logs for the HTTP verb, 'CONNECT'. Squid's default configs have
> specific settings to allow CONNECT only for HTTPS; I'm guessing that
> your Apache config might need to be tweaked likewise.
Yup, I don't think zope even *can* do something like that.
I was guessing that the exploit was at the application level -
somebody found a MailHost with wide-open permissions
and abused it with a client script.
--
Paul Winkler
http://www.slinkp.com
Look! Up in the sky! It's THE INTOXICATED GIRL!
(random hero from isometric.spaceninja.com)
More information about the Zope-Dev
mailing list