Re: [Zope] IIS and Zope share same problem :-S

Fri, 20 Oct 2000 03:01:16 -0700 


Hum... A possible way to solve this problem is to practice the "you
can't do ANYTHING but..." policy... And, thus, according proxy roles to
the methods that must access it, such as index_html.
I know it's constraining but with a little work we can end up with
something quite secure & secret.




P.-J.



Chris Withers wrote:
> 
> > MICROSOFT WEBSERVERS LAID OPEN FOR ALL TO SEE
> > by Dave Murphy, [EMAIL PROTECTED]
> >
> > Microsoft is scrambling to repair damage caused by a
> > security hole in its IIS 4 & 5 webserver that runs on
> > Windows NT/2000. Microsoft claims over four million
> > IIS websites, and each one of them is at risk of
> > releasing sensitive data through the security hole.
> > Called the "Web Server Folder Traversal" error, the
> > flaw allows users to execute files on an IIS website by
> > requesting a specific web address.
> 
> http://www.zope.org/standard_html_header for example ;-)
> http://www.zope.org/objectIds as another...
> 
> > The bug allows access to any file on the webserver via
> > a specified URL. Like all webservers, IIS is supposed
> > to prevent access to files that aren't intended to be
> > part of the website.
> 
> Maybe Zope should too....
> 
> > This article is posted to http://itrain.org/itinfo/2000/it001017.html
> >
> > Live well, do good,
> >
> > --Dave Murphy
> 
> cheers,
> 
> Chris
> 
> _______________________________________________
> Zope maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )

-- 
If the only tool you have is a hammer, 
    you tend to see every problem as a nail.
Si le seul outil dont vous disposez est un marteau, 
    vous avez tendance à voir chaque problème comme un clou. 
                                       --Abraham Maslow

_______________________________________________
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to