dynamic wiki content

Steve Alexander steve at canonical.com
Wed Nov 17 22:22:22 UTC 2004

>> One cannot do anything with DTML that is not already exposed as an
>> externally available method from the python code.  (e.g. one could
>> simply use HTTP GET to run that python method anyway)
> That's true; you can visit the appropriate delete method directly and 
> delete some objects if you have permission.

If you give me rights to create and execute DTML on a server, I can 
easily write DTML code to crash that server.  I'm sure I'm not the only 
person who knows how to do this.

You cannot achieve the same degree of resource exhaustion over HTTP 
without starting a large and obvious DOS attack.

Steve Alexander

More information about the ubuntu-doc mailing list