[Zope] IIS and Zope share same problem :-S

Pierre-Julien Grizel grizel@mouli.net
Fri, 20 Oct 2000 12:04:49 +0200


Hum... A possible way to solve this problem is to practice the "you
can't do ANYTHING but..." policy... And, thus, according proxy roles to
the methods that must access it, such as index_html.
I know it's constraining but with a little work we can end up with
something quite secure & secret.




P.-J.



Chris Withers wrote:
> 
> > MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE
> > by Dave Murphy, member@itrain.org
> >
> > Microsoft is scrambling to repair damage caused by a
> > security hole in its IIS 4 & 5 webserver that runs on
> > Windows NT/2000. Microsoft claims over four million
> > IIS websites, and each one of them is at risk of
> > releasing sensitive data through the security hole.
> > Called the "Web Server Folder Traversal" error, the
> > flaw allows users to execute files on an IIS website by
> > requesting a specific web address.
> 
> http://www.zope.org/standard_html_header for example ;-)
> http://www.zope.org/objectIds as another...
> 
> > The bug allows access to any file on the webserver via
> > a specified URL. Like all webservers, IIS is supposed
> > to prevent access to files that aren't intended to be
> > part of the website.
> 
> Maybe Zope should too....
> 
> > This article is posted to http://itrain.org/itinfo/2000/it001017.html
> >
> > Live well, do good,
> >
> > --Dave Murphy
> 
> cheers,
> 
> Chris
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )

-- 
If the only tool you have is a hammer, 
    you tend to see every problem as a nail.
Si le seul outil dont vous disposez est un marteau, 
    vous avez tendance à voir chaque problème comme un clou. 
                                       --Abraham Maslow