[prev in list] [next in list] [prev in thread] [next in thread]
List: zope-dev
Subject: [Zope-dev] Are full pathnames in error messages a security bug?
From: "R. David Murray" <rdmurray () bitdance ! com>
Date: 2000-07-31 17:39:33
[Download RAW message or body]
I don't know if this has been raised before, but the following excerpt
from the most recent SANS security alert concensus made me think:
---------- Forwarded message ----------
[...]
--> {00.31.014} Apache TomCat leaks system information
Apache's TomCat server has been found to provide various types of system
information to an attacker-such as full system paths being displayed in
error messages. TomCat also comes with the "snoop" servlet, which
provides even more detailed information about the system when invoked.
----------------------------------------
Obviously the 'snoop' servlet is the reason this was posted, but
still, they are calling full path information a security leak.
Not perhaps something to put high on a priority list, but should there
be a way to prevent full path information from appearing in
error messages? It would have the side benefit of making the
error messages more readable <grin>.
--RDM
_______________________________________________
Zope-Dev maillist - Zope-Dev@zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic