Re: [Zope-dev] Re: [Zope] isecure XML-RPC handling.
* the immediate correspondence between the request and the response containing essential information to analyse the problem It's application problem and the application have to handle it. Log all the request/responses on the server or the client side. * newbies They have nothing to do in a production environment don't they? Even with the stack trace immediately in the response, they report problems with no or missing essential details about the problem. Then how one can help there? This will become worse when the error information is hidden in a log. The point is that production differ from development environment. In the development environment on can do whatever he needs. In a production environment reporting information as physical path on the server, internal network addresses etc. is unexceptable. Look at it from a different prospective: Someone is browsing Internet and a site is responding like: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'or'. /login.asp, line 11 Couple scenarios: 1. If he is a regular user he will go to the next site and most probably will never come back to that site again. 2. If he is tester or developer - oops the code have problem we have to fix it. 3. If he is intruder then Bingo! the site have problems escaping special characters before to pass them to the SQL server! Let's have a party! The situation with Zope is similar. Shall the dump help the regular surfer? I doubt so. Shall it benefit the developer or the tester? Most probably not since they are not performing their activities on the production site. Shall it benefit third parity developers that are requesting services from you site? May be particular, since they can report the stack to you, but you may get that information from you log any way. Since they can not control the code on you side this will not make their live easier.. The only left is the intruder! The conclusion is make the server not to dump the stack in the response if -D option does not imply. With -D dump the processor registers if you would like ;) People have to be able to control this and if there is more precise control like debug level - then it is even better. BW if a program is expecting XML-RPC response but it is receiving stack trace it may be a little confusing (especially for a not so well written program ;). Zope first have to conform the protocol for XML-RPC exchange (return XML response) and after that to sweet the developers (dump error in the server's log). Okay! Dieter Regards, Rossen _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] isecure XML-RPC handling.
Shall the dump help the regular surfer? I doubt so. Shall it benefit the developer or the tester? Most probably not since they are not performing their activities on the production site. Oh, they most definitely help the developer or tester, because errors do appear on production sites too, and it can be very hard to recreate the problem. The only one problem there is that if a surfer sees the dump most probably he will not send it to the developer BUT: The developer has access to the system, and the dump doesn't have to be included in the HTML output. Maybe error dumps could be sent to a disk-log of some sort? Exactly that's my point. Log it with as many details as you can! Log it on the local file system or use syslog or a database but do not send it to the users browser. Do not put it in the response if the server is running without -D option. Regards, Rossen _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] isecure XML-RPC handling.
There are two completely different things: 1. the server log 2. the output to the client. In the first case you may log everything that you thing it is reasonable - stack traces and dumps, relative and absolute paths, etc. It can may be assumed that is secure since in general it is not accessible out of the box. My personal opinion is that even this log have to differ if -D (debug option) is misplayed. In the second case it is better if Zope is returning just the error or the response. In the XML-RPC case the error have to be a valid XML-RPC response, not a stack trace. I can get that a stack trace may be extremely useful for a developer but cant he see the server's error log? BW if a program is expecting XML-RPC response but it is receiving stack trace it may be a little confusing (especially for a not so well written program ;). Zope first have to conform the protocol for XML-RPC exchange (return XML response) and after that to sweet the developers (dump error in the server's log). Regards, Rossen - Original Message - From: Dieter Maurer [EMAIL PROTECTED] To: Shane Hathaway [EMAIL PROTECTED] Cc: Rossen Raykov [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, April 04, 2002 2:55 PM Subject: Re: [Zope-dev] Re: [Zope] isecure XML-RPC handling. Shane Hathaway writes: If you can, please check out the latest Zope from CVS. Tracebacks no longer appear by default, and even when they do, they do not show any filesystem paths. (If you already have a checkout, make sure you use cvs up -dP to get the new product.) I am very interested in filesystem paths, not necessary absolute ones but relative pathnames are very helpful to locate a problem. Dieter _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] isecure XML-RPC handling.
Hi all, My point was that Zope is revealing internal information that is believed to be private and invisible for the Internet users. It happens in its default (debug) installation and even after -D option is removed from the startup script. I try some XML-RPC requests against www.zope.org (2.3.2) and against the default 2.5.0 installation for Windows (with and without -D option). In both cases Zope was reviling the physical location of the distribution. In the case of www.zope.org it was reviling even information about it's internal network (this may be also possible in 2.5.0 but I do not have the time to create complicated enough configuration). In general Zope have not to reveal any physical information neither about it's installation nor about the internal network behind it. If you need to print traces - use relative paths to the server root. If the debug option is omitted - just print the error and do not print any stack dumps at all! People have to be aware that the default installation is in debug mode and the results of that. I believe many people will be surprised to learn that they are exposing information about their private networks and server setups. Finally two clarifications: 1. Zope 2.3.2 do support XML-RPC. Try example one against www.zope.org it will work just fine! 2. Zope Zope 2.5.0 in it's default installation (debug mode) still is revealing information about the physical location of the installed server. See the dump in example two. It is produced as a result of the XML-RPC example from my first e-mail. Regards, Rossen Example one --- POST /Foo/Bar/MyFolder HTTP/1.0 Content-Type: text/xml Content-length: 110 ?xml version='1.0'? methodCall methodNametitle_or_id/methodName params /params /methodCall Example two --- ... Bobo-Exception-File: C:\PROGRA~1\WebSite\bin\lib\xmllib.py ... Traceback (innermost last): File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 150, in publish_module File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 114, in publish File C:\PROGRA~1\WebSite\lib\python\Zope\__init__.py, line 158, in zpublisher_exception_hook (Object: Zope) File C:\PROGRA~1\WebSite\lib\python\ZPublisher\Publish.py, line 63, in publish File C:\PROGRA~1\WebSite\lib\python\ZPublisher\HTTPRequest.py, line 357, in processInputs File C:\PROGRA~1\WebSite\lib\python\ZPublisher\xmlrpc.py, line 47, in parse_input File C:\PROGRA~1\WebSite\lib\python\xmlrpclib.py, line 531, in loads File C:\PROGRA~1\WebSite\bin\lib\xmllib.py, line 172, in close File C:\PROGRA~1\WebSite\bin\lib\xmllib.py, line 405, in goahead File C:\PROGRA~1\WebSite\bin\lib\xmllib.py, line 794, in syntax_error Error: (see above) - Original Message - From: Brian Lloyd [EMAIL PROTECTED] To: R. David Murray [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Rossen Raykov [EMAIL PROTECTED] Sent: Wednesday, April 03, 2002 12:20 PM Subject: RE: [Zope-dev] Re: [Zope] isecure XML-RPC handling. I think most people missed the point here. I don't think Rossen is asking for help on running zope or getting xml-rpc to work with it. He's observed a security problem: he believes the fact that a traceback including path names is included in the error response is a security exposure. This has been discussed on zope-dev before, but the fact remains that the security community *does* treat exposure of filesystem path information as a security issue. Right. There is already code for Zope 2.6 and Zope 3 that addresses this. Shane's new traceback formatting makes the trace information far more readable in addition to removing filesystem path information. Brian Lloyd[EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] isecure XML-RPC handling.
Zope is not handling correct XML-RPC request. Even the example from http://www.zope.org/Members/Amos/XML-RPC is not working. Even worst if a request like this one in the quoted example is send to the web server it will report information about the local server installation and the internal network. Included are a request and response to www.zope.org. As one may see the server is installed in /usr/local/base/Zope-2.3.2-modified/ and it rely on 10.0.11.3:1380 for request processing. All this may be useful debug information but it is not acceptable for a production server! I'm not familiar with Zope and I cannot say is it only a configuration problem or it is a problem in the code. I do not have time to investigate that but a similar result may be achieved with the distribution offered for download. Please let me know if I have to send this bug information to some one else. I would like to be informed and when this issue is resolved so I can announce it on Bug-Traq. Regards, Rossen Raykov cut here $ telnet www.zope.org 80 Trying 63.102.49.33... Connected to www.zope.org. Escape character is '^]'. POST /Foo/Bar/MyFolder HTTP/1.0 Content-Type: text/xml Content-length: 95 ?xml version=1.0? methodCall methodNameobjectIds/methodName params/ /methodCall HTTP/1.0 500 Internal Server Error Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Sat, 23 Mar 2002 03:09:14 GMT Bobo-Exception-File: /var/tmp/python/python-root/usr/lib/python1.5/xmllib.py Content-Type: text/html Bobo-Exception-Type: RuntimeError Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN http://www.w3.org/TR/REC-html40/loose.dtd;HTML HEAD TITLEWelcometo Zope.org/TITLE link rel=stylesheet href=http://10.0.11.3:1380/zope_css; type=text/css /HEAD BOD Content-Length: 6864 Bobo-Exception-Line: 748 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML HEAD TITLEWelcome to Zope.org/TITLE link rel=stylesheet href=http://10.0.11.3:1380/zope_css; type=text/css /HEAD BODY BGCOLOR=#FF TEXT=#00 LINK=#66 VLINK=#606060 TOPMARGIN=0 LEFTMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0 BASEFONT FACE=Verdana, Arial, Helvetica, sans-serif SIZE=2 TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0 TR TD WIDTH=10 BGCOLOR=#6699cc ALIGN=CENTERnbsp;/TD TD COLSPAN=2 BGCOLOR=#6699CC VALIGN=TOP WIDTH=165A HREF=/IMGSRC=/Images/zopecom.gif ALT=Zope ALIGN=ABSMIDDLE WIDTH=150 HEIGHT=63 BORDER=0/A/TD TD BGCOLOR=#6699CC VALIGN=TOP ALIGN=RIGHT xWIDTH=99% CLASS=welcome p class=welcome a class=globalmenu href=http://www.zope.com;Business Services/A | A CLASS=globalmenu HREF=/SiteIndex/searchFormSearch/A | a CLASS=globalmenu href=/ProductsDownload/a | a CLASS=globalmenu href=/DocumentationDocumentation/a | a CLASS=globalmenu href=/ResourcesResources/a | a class=globalmenu href=http://dev.zope.org;Development/a BR FORM ACTION=/SiteIndex/search METHOD=GET name=search Search INPUT TYPE=text NAME=text_content SIZE=15 nbsp; INPUT TYPE=IMAGE SRC=/Images/go.gif ALT=Go Button! ALIGN=ABSMIDDLE BORDER=0 WIDTH=20 HEIGHT=20 /FORM /p /TD TD WIDTH=10 BGCOLOR=#6699CC ALIGN=RIGHT VALIGN=BOTTOMIMG SRC=/Images/blue-rounder1.gif WIDTH=14 HEIGHT=20 BORDER=0/TD /TR TR TD WIDTH=10 BGCOLOR=#6699ccnbsp;/td TD WIDTH=150 BGCOLOR=#6699CC VALIGN=TOP H2 CLASS=lefttitlenbsp;Guest/H2 p class=sidemenu A CLASS=sidemenu HREF=/Register/register.htmlJoin Zope.org/A BR A CLASS=sidemenu HREF=/login.html?came_from=http://10.0.11.3:1380;Log in/A /p HR NOSHADE SIZE=0.5 WIDTH=95% H2 CLASS=lefttitlenbsp;Zope Exits/H2 p class=sidemenu A CLASS=sidemenu HREF=http://dev.zope.org/;dev.zope.org/ABR A CLASS=sidemenu HREF=http://cmf.zope.org/;CMF Dogbowl/ABR A CLASS=sidemenu HREF=http://collector.zope.org/Zope;Zope Collector/ABR A CLASS=sidemenu HREF=http://cvs.zope.org/;Zope CVS/ABR A CLASS=sidemenu HREF=http://www.zopezen.org/;ZopeZen/ABR A CLASS=sidemenu HREF=http://www.zopenewbies.net/;Zope Newbies/ABR a class=sidemenu href=http://www.zopelabs.com/;Zope Labs/abr / A CLASS=sidemenu HREF=http://www.eurozope.org/;EuroZope/ABR A CLASS=sidemenu HREF=http://www.zopera.org/;Zopera/ABR A CLASS=sidemenu HREF=http://zdp.zope.org;ZDP/ABR A CLASS=sidemenu HREF=http://www.freezope.org;FreeZope/ABR a CLASS=sidemenu href=http://www.nipltd.net/Free;NIP Free Zope Hosting/a /p HR NOSHADE SIZE=0.5 WIDTH=95% pa href=http://www.amazon.com/exec/obidos/ASIN/0735711372/zopeorg-20; img src=http://www.zope.org/Images/zopebook.png; alt=The Zope Book height=140 width=109 border=0 //a /p pa href=http://python.org/; alt=Python Powered! img src=http://www.zope.org/Images/python.gif; border=0/a/p /TD TD COLSPAN=2 VALIGN=TOP table cellpadding=10 cellspacing=0 border=0 width=100