Hi, Can anyone shed light on all of these? I know about some of them, but this is quite a disturbingly long list... cheers, Chris ---------- Forwarded Message ---------- Date: Tuesday, January 20, 2004 2:45 PM -0700 From: Kelly Martin <kel@securityfocus.com> To: sf-news@securityfocus.com Subject: SecurityFocus Newsletter #232 8. Zope Multiple Vulnerabilities BugTraq ID: 9400 Remote: Yes Date Published: Jan 12 2004 Relevant URL: http://www.securityfocus.com/bid/9400 Summary: Zope is an open source web application server, maintained by the Zope Project. Zope is available for Linux, Unix, and Microsoft Windows based systems. Multiple vulnerabilities have been reported to exist in the software that may allow an attacker to carry out attacks resulting from improper input validation, access validation, information disclosure, and various improper security checks on a vulnerable system. Successful exploitation of these issues may lead to cross-site scripting attacks, denial of service conditions, and other attacks. The following specific issues have been identified: The ZSearch interface has been reported to be prone to a cross-site scripting vulnerability. Successful exploitation of this issue may allow a remote attacker to carry out cross-site scripting attacks by enticing a victim user to follow a malicious link to a site hosting the software that contains embedded HTML and script code. The embedded code may be rendered in the web browser of the victim user in the security context of the site hosting the vulnerable software. A denial of service vulnerability has been identified in 'ZTUtils.SimpleTree' that may allow an attacker to cause a denial of service condition the software. This condition results from improper state handling. An access validation issue has been reported to exist in the admin "find" functions. This issue may lead to an attacker gaining access to sensitive information without proper authentication. An unspecified access validation issue has been identified in the PropertyManager 'lines' and 'tokens' properties. It has been reported that some property types are stored in a mutable data type (list) and may allow untrusted code to effect changes on the properties without proper security validation. An unspecified access validation issue may exist in the DTMLDocument objects. This issue could allow an attacker to gain access to sensitive information. Another access validation issue has been identified in DTMLMethods. It has been reported that DTMLMethods proxy rights may be incorrectly inherited when traversing to a parent object. A denial of service vulnerability has been identified in DTML tag 'dtml-tree' that may allow an attacker to cause a denial of service condition the software. An information disclosure vulnerability is reported to exist in the software. This issue may allow an attacker to disclose certain attributes via XML-RPC marshalling of class instances. An access validation issue has been reported to exist in the software that may allow unauthorized access to certain variables. This issue occurs due to improper initialization of PythonScript class security. A denial of service vulnerability exists in RESPONSE.write() that may allow an attacker to pass malicious unicode values resulting in Zserver main loop to terminate resulting in a crash or hang. An access validation issue may exist in the software due to Unpacking via function calls, variable assignment, exception variables without sufficient security check. This issue may allow an attacker to gain access to sensitive data. Another access validation issue may allow an attacker to execute a malicious script on a vulnerable system in order to gain unauthorized access to certain objects. This issue results from improper verification of variables bound to page templates and Python scripts such as 'context' and 'container'. An unspecified error has been reported to exist due to the use of min, max, enumerate, iter, and sum in untrusted code. An issue has been identified in the use of 'import as' in Python scripts that may allow an attacker to bypass security checks. Another access validation issue has been identified in the list and dictionary instance methods that may allow an attacker to gain unauthorized access to certain objects. A similar issue has also been identified in for loops, list comprehensions, and other iterations of untrusted code. Further analysis of these issues is currently underway. This BID will be separated into individual BIDs upon completion of analysis. These issues have been reported to exist in Zope versions 2.6.2 and prior and development releases 2.7.0 beta3. Other versions could be affected as well. ---------- End Forwarded Message ---------- Richard Hopkins, Information Services, Computer Centre, University of Bristol, Bristol, BS8 1UD, UK Tel +44 117 928 7859 Fax +44 117 929 1576