Take the cgi-vulnerability patch serious!
Hi! Normally I do not comment on security patches for Zope because they fix very minor issues. The recent patch announced on http://www.zope.org/Products/Zope/Hotfix_2001-07-25/security_alert is different. We tested the exploit script provided at sourceforge, and it immediately pushed any of our servers we tested it on to > 90% system load. With two or three calls of the script, any Zope server (including all other services running on the server) can be brought to a halt. So please take care of your servers! The exploit is posted with the bug report, and anybody who nows how to copy&paste and start a python script can use it to stop any Zope server in the world that is unprotected. Moreover, there seems to be an Opera bug that has the same effect ... Cheers iuveno AG Joachim Werner CEO
Normally I do not comment on security patches for Zope because they fix very minor issues. The recent patch announced on http://www.zope.org/Products/Zope/Hotfix_2001-07-25/security_alert is different. We tested the exploit script provided at sourceforge, and it immediately pushed any of our servers we tested it on to > 90% system load. With two or three calls of the script, any Zope server (including all other services running on the server) can be brought to a halt.
Note that people running other Python-based Web systems that use cgi.py should also be paying attention to this. I don't know if WebWare or other larger web systems use cgi.py for form parsing, but I'm sure most plain Python cgi scripts do. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations www.digicool.com
participants (2)
-
Brian Lloyd -
Joachim Werner