Zope 2

Insecure XML-RPC exception handling.

Bug #142016 reported by Bug Importer on 2002-04-23

252

Affects		Status	Importance	Assigned to	Milestone
	Zope 2	Fix Released	Critical	Unassigned

Bug Description

A request like the quoted below will cause Zope to reveal the complete physical location where the server and its components are installed.
In some cases it will reveal also information about the serves in the protected LAN (10.x.x.x for example) on which current server is relaying.
Running the server without -D option wouldn't stop this information leak.

BW the quoted example is a part from "XML-RPC How To" [http://www.zope.org/Members/Amos/XML-RPC]. It would be nice if the examples are tested first!

-------- BAD REQUEST EXSAMPLE ---------
POST /Foo/Bar/MyFolder HTTP/1.0
Content-Type: text/xml
Content-length: 95

<?xml version="1.0"?>
<methodCall>
<methodName>objectIds</methodName>
<params/>
</methodCall>

Tags:

Revision history for this message

Martijn Pieters (mjpieters) wrote on 2002-08-29:

Status: Pending => Resolved

Zope 2.6 no longer includes tracebacks in error messages, so private information is not included anymore.

The examples you refer to were written before objectIds was made inaccessible through web calls, hence the error. You can contact the author if their email address is still correct through the "Feedback to this page's author" link in a page footer.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.