dynamic wiki content
Steve Alexander
steve at canonical.com
Wed Nov 17 22:22:22 UTC 2004
>> One cannot do anything with DTML that is not already exposed as an
>> externally available method from the python code. (e.g. one could
>> simply use HTTP GET to run that python method anyway)
>
> That's true; you can visit the appropriate delete method directly and
> delete some objects if you have permission.
If you give me rights to create and execute DTML on a server, I can
easily write DTML code to crash that server. I'm sure I'm not the only
person who knows how to do this.
You cannot achieve the same degree of resource exhaustion over HTTP
without starting a large and obvious DOS attack.
--
Steve Alexander
More information about the ubuntu-doc
mailing list