Insecure XML-RPC exception handling.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Critical
|
Unassigned |
Bug Description
A request like the quoted below will cause Zope to reveal the complete physical location where the server and its components are installed.
In some cases it will reveal also information about the serves in the protected LAN (10.x.x.x for example) on which current server is relaying.
Running the server without -D option wouldn't stop this information leak.
BW the quoted example is a part from "XML-RPC How To" [http://
-------- BAD REQUEST EXSAMPLE ---------
POST /Foo/Bar/MyFolder HTTP/1.0
Content-Type: text/xml
Content-length: 95
<?xml version="1.0"?>
<methodCall>
<methodName>
<params/>
</methodCall>
Status: Pending => Resolved
Zope 2.6 no longer includes tracebacks in error messages, so private information is not included anymore.
The examples you refer to were written before objectIds was made inaccessible through web calls, hence the error. You can contact the author if their email address is still correct through the "Feedback to this page's author" link in a page footer.