[Zope] isecure XML-RPC handling.

kapil thangavelu kthangavelu@earthlink.net
Tue, 2 Apr 2002 06:42:09 -0800


he's testing against zope.org  

and the traceback is enclosed html comments, which probably does mean it is 
debug mode.

as for the concerns... i leave that to others.

-k


On Tuesday 02 April 2002 12:18 pm, Chris McDonough wrote:
> You are running Zope in debug mode (with the -D switch in the "start"
> file). This is the default.  Please try running Zope in non-debug mode
> (remove the -D switch) and try this again.
>
> ----- Original Message -----
> From: "Rossen Raykov" <raikovr@yahoo.com>
> To: <zope-dev@zope.org>
> Cc: <klm@zope.com>; <zope@zope.org>
> Sent: Tuesday, April 02, 2002 2:33 PM
> Subject: [Zope] isecure XML-RPC handling.
>
> > Zope is not handling correct XML-RPC request.
> >
> > Even the example from http://www.zope.org/Members/Amos/XML-RPC is not
> > working.
> >
> > Even worst if a request like this one in the quoted example is send to
> > the web server it will report information about the local server
> > installation and the internal network.
> >
> > Included are a request and response to www.zope.org.
> >
> > As one may see the server is installed in
> > /usr/local/base/Zope-2.3.2-modified/
> > and it rely on 10.0.11.3:1380 for request processing.
> >
> > All this may be useful debug information but it is not acceptable for a
> > production server!
> >
> > I'm not familiar with Zope and I cannot say is it only a configuration
> > problem or it is a problem in the code.
> >
> > I do not have time to investigate that but a similar result may be
>
> achieved
>
> > with the distribution offered for download.
> >
> > Please let me know if I have to send this bug information to some one
>
> else.
>
> > I would like to be informed and when this issue is resolved so I can
> > announce it on Bug-Traq.
> >
> > Regards,
> > Rossen Raykov
> >
> > <cut here>
> > $ telnet www.zope.org 80
> > Trying 63.102.49.33...
> > Connected to www.zope.org.
> > Escape character is '^]'.
> > POST /Foo/Bar/MyFolder HTTP/1.0
> > Content-Type: text/xml
> > Content-length: 95
> >
> > <?xml version="1.0"?>
> > <methodCall>
> >  <methodName>objectIds</methodName>
> >  <params/>
> > </methodCall>
> >
> >
> > HTTP/1.0 500 Internal Server Error
> > Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2)