Zebra allows access to internal configuration files

[powerriegel]

Zebra 2.2.2-1 on Debian Bullseye allows to access
DOMAIN:ZEBRAPORT/app/etc/local.xml

which contains password and user name in clear text.

<zs:explainResponse>
<zs:version>2.0</zs:version>
<zs:record>
<zs:recordSchema>https://explain.z3950.org/dtd/2.0/</zs:recordSchema>
<zs:recordXMLEscaping>xml</zs:recordXMLEscaping>
<zs:recordData>
<explain xml:base="../../zebradb/explain-biblios.xml">
<!--
 try stylesheet url: https://./?stylesheet=docpath/sru2.xsl 
-->
<serverInfo protocol="SRW/SRU/Z39.50">
<host>localhost</host>
<port>9999</port>
<!--
 <database numRecs="1314" lastUpdate="2006-03-15 09-05-33">
         Default</database> 
-->
<database>biblios</database>
<!--
<authentication>
      <user>xxxxxxxxxxx</user>
      <group>xxxxxxxxxxx</group>
      <password>xxxxxxxxxxxx</password>
    </authentication>
-->
</serverInfo>

If SRU is enabled, then the path would be DOMAIN/sru/etc/local.xml with the following standard Apache2 lines. This might be accessible world wide if you use SRU.

ProxyPass /sru/ https://localhost:ZEBRAPORT/
ProxyPassReverse /sru/ https://localhost:ZEBRAPORT/

We're using Zebra together with Koha 22.11.