[Zope3-Users] Re: apache as zope3's frontend and NTLM

Derrick Hudson dman at dman13.dyndns.org
Tue Nov 15 09:24:52 EST 2005

On Tue, Nov 15, 2005 at 11:02:06AM +0000, Chris Withers wrote:
| Philipp von Weitershausen wrote:
| >True, it's not the nicest solution. But you could make it safer by first
| >stripping the according request variable from the QUERY_STRING.
| >mod_rewrite is quite powerful in that respect.
| Is it just me, or should a deep feeling of uneasiness accompany the 
| extraction of authentication credentials from a query string? ;-)

It's not just you.  :-)

The hole this creates is:  someone makes an HTTP request directly to
Zope bypassing apache altogether.  This request could simply present
any username desired.

Some ways to limit the exposure of the hole is to have zope listen on
the loopback interface only.  Then prevent all shell access on the
system.  The only remaining hole at this point is if someone can
abuse some other network-accessible service and coerce it into making
the request (or to open a back door).


Bugs come in through open windows. Keep Windows shut!
www: http://dman13.dyndns.org/~dman/            jabber: dman at dman13.dyndns.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.zope.org/pipermail/zope3-users/attachments/20051115/6209f07f/attachment.bin

More information about the Zope3-users mailing list