[ZWeb] Returned mail: see transcript for details

Mail Delivery Subsystem MAILER-DAEMON@smtp.zope.com
Sat, 5 Apr 2003 08:23:38 -0500

This is a MIME-encapsulated message


The original message was received at Sat, 5 Apr 2003 08:23:21 -0500
from mail.python.org []

   ----- The following addresses had permanent fatal errors -----
    (reason: 550 paul@mail.zope.com unknown user account)
    (expanded from: <paul@zope.com>)

   ----- Transcript of session follows -----
... while talking to mail.zope.com.:
>>> DATA
<<< 550 paul@mail.zope.com unknown user account
550 5.1.1 paul@mail.zope.com... User unknown

Content-Type: message/delivery-status

Reporting-MTA: dns; smtp.zope.com
Arrival-Date: Sat, 5 Apr 2003 08:23:21 -0500

Final-Recipient: RFC822; paul@zope.com
X-Actual-Recipient: RFC822; paul@mail.zope.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mail.zope.com
Diagnostic-Code: SMTP; 550 paul@mail.zope.com unknown user account
Last-Attempt-Date: Sat, 5 Apr 2003 08:23:37 -0500

Content-Type: message/rfc822

Return-Path: <zope-web@zope.org>
Received: from mail.python.org (mail.python.org [])
	by smtp.zope.com (8.12.5/8.12.5) with ESMTP id h35DNLOi024239
	for <paul@zope.com>; Sat, 5 Apr 2003 08:23:21 -0500
Received: from [] (helo=cvs.baymountain.com)
	by mail.python.org with esmtp (Exim 4.05)
	id 191mso-0007nA-00; Sat, 05 Apr 2003 07:34:54 -0500
From: "Collector: NEW Zope.org (the ..." <zope-web@zope.org>
To: efge <fg@nuxeo.com>, paul <paul@zope.com>, beacon <seb@jamkit.com>,
   sidnei <sidnei@x3ng.com.br>
Subject: [ZOC] 68/ 1 Request "WebDAV allows complete listings of the site"
X-Recipients-debug: ['efge', 'efge', 'paul', 'lennart', 'beacon', 'sidnei']
Message-Id: <E191mso-0007nA-00@mail.python.org>
Date: Sat, 05 Apr 2003 07:34:54 -0500
X-Spam-Status: No, hits=-1.7 required=5.0 tests=BODY_PYTHON_ZOPE,SPAM_PHRASE_00_01
X-MailScanner: Found to be clean

Issue #68 Update (Request) "WebDAV allows complete listings of the site"
 ** Security Related ** (Confidential)
 Status Pending_confidential, content/bug critical
To followup, visit:

= Request - Entry #1 by efge on Apr 5, 2003 7:34 am

Uploaded:  "zope-propfind.txt"
 - http://collector.zope.org/ZopeOrg/68/zope-propfind.txt/view
Using Nautilus from Gnome 2.2, if you go to http://zope.org without any authentication, you still
get a full listing of the site objects.

Nautilus does a PROPFIND, controlled by "WebDAV access", and it appears that this is allowed for Anonymous on
zope.org. I suggest removing the "WebDAV access" permission from Anonymous.

I'm attaching a dump of the tcp conversation.