Vulnerability in Zope
Found vulnerability: retrieve a full path to local files in Zope. ---[ Example 1 (Linux): telnet www.zope.org 80 PROPFIND / HTTP/1.0 F G H J K L HTTP/1.0 500 Internal Server Error Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:38:59 GMT Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Type: text/html Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional// EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css" type="text/css"> </HEAD> <BODY B Bobo-Exception-Line: 369 ... <!-- Traceback (innermost last): File /usr/local/base/Zope-2.3.2-modified/l ib/python/ZPublisher/Publish.py, line 223, in publish_module File /usr/local/ba se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish F ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i n zpublisher_exception_hook (Object: ApplicationDefaultPermissions) File /us r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p y, line 160, in mapply (Object: PROPFIND) File /usr/local/base/Zope-2.3.2-mo dified/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: PR OPFIND) File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py, line 222, in PROPFIND (Object: ApplicationDefaultPermissions) File /usr/loc al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply Fi le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i n apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d avcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/pyth on/webdav/davcmds.py, line 175, in apply File /usr/local/base/Zope-2.3.2-modifi ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop (Object: Virtu al) TypeError: (see above) --> Host has closed connection. ---[ Example 2 (Linux): telnet www.zope.com 80 GGGG / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0 HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Fri, 21 Sep 2001 12:51:48 GMT Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H TTPResponse.py Content-Type: text/html Bobo-Exception-Type: NotFound Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional// EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css" type="text/css"> </HEAD> <BODY B Content-Length: 5845 Bobo-Exception-Line: 547 < ... > <!-- Traceback (innermost last): File / usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i n publish_module File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher /Publish.py, line 187, in publish File /usr/local/base/Zope-2.3.2-modified/lib/ python/Zope/__init__.py, line 221, in zpublisher_exception_hook (Object: Appl icationDefaultPermissions) File /usr/local/base/Zope-2.3.2-modified/lib/python/ ZPublisher/Publish.py, line 173, in publish File /usr/local/base/Zope-2.3.2-mod ified/lib/python/ZPublisher/HTTPResponse.py, line 308, in setBody File /usr/loc al/base/Zope-2.3.2-modified/lib/python/ZPublisher/HTTPResponse.py, line 547, in notFoundError NotFound: (see above) --> Host has closed connection. ---[ Example 3 (Win32): OPTIONS / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0 HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:06:43 GMT Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py Bobo-Exception-Type: Not Found Content-Type: text/html Location: http://SERVERNAME Bobo-Exception-Value: bobo exception Content-Length: 756 Bobo-Exception-Line: 122 <html><head><title>::</title></head><body bgcolor="#FFFFFF"> <h2>нЬХАЙЮ!</h2> <p>н ЬХАЙЮ ОПХ ОНОШРЙЕ НОСАКХЙНБЮРЭ ПЕЯСПЯ.</p> <hr noshade> </body></html> <!-- Tracebac k (innermost last): File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 223 , in publish_module File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 187 , in publish File D:\INSTOC~1\lib\python\Zope\__init__.py, line 221, in zpublis her_exception_hook (Object: iVirtualHostBase) File D:\INSTOC~1\lib\python\ZP ublisher\Publish.py, line 162, in publish File D:\INSTOC~1\lib\python\ZPublishe r\BaseRequest.py, line 340, in traverse File D:\INSTOC~1\lib\python\webdav\Null Resource.py, line 122, in __bobo_traverse__ (Object: iVirtualHostBase) Not Fou nd: (see above) --> Host has closed connection.
Do others consider this a vulnerability? While it reveals more information than people might want, I'm curious about scenarios under which it could be exploited. If any of you know of something *specific*, meaning it's a genuinely exploitable vulnerability, please email me or Brian Lloyd (brian@zope.com) directly, rather than explain to the world how to do it. --Paul ALife wrote:
Found vulnerability: retrieve a full path to local files in Zope.
---[ Example 1 (Linux):
telnet www.zope.org 80
PROPFIND / HTTP/1.0
F G H J K L HTTP/1.0 500 Internal Server Error Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:38:59 GMT Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Length: 7058 Ms-Author-Via: DAV Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property Sheets.py Bobo-Exception-Type: TypeError Content-Type: text/html Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional// EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css" type="text/css"> </HEAD> <BODY B Bobo-Exception-Line: 369
...
<!-- Traceback (innermost last): File /usr/local/base/Zope-2.3.2-modified/l ib/python/ZPublisher/Publish.py, line 223, in publish_module File /usr/local/ba se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish F ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i n zpublisher_exception_hook (Object: ApplicationDefaultPermissions) File /us r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p y, line 160, in mapply (Object: PROPFIND) File /usr/local/base/Zope-2.3.2-mo dified/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: PR OPFIND) File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py, line 222, in PROPFIND (Object: ApplicationDefaultPermissions) File /usr/loc al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply Fi le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i n apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d avcmds.py, line 219, in apply File /usr/local/base/Zope-2.3.2-modified/lib/pyth on/webdav/davcmds.py, line 175, in apply File /usr/local/base/Zope-2.3.2-modifi ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop (Object: Virtu al) TypeError: (see above)
--> Host has closed connection.
---[ Example 2 (Linux): telnet www.zope.com 80
GGGG / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0
HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1 Date: Fri, 21 Sep 2001 12:51:48 GMT Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H TTPResponse.py Content-Type: text/html Bobo-Exception-Type: NotFound Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional// EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>Welcome to Zope.org</TITLE> <link rel="stylesheet" href="http://www.zope.org/zope_css" type="text/css"> </HEAD> <BODY B Content-Length: 5845 Bobo-Exception-Line: 547
< ... >
<!-- Traceback (innermost last): File / usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i n publish_module File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher /Publish.py, line 187, in publish File /usr/local/base/Zope-2.3.2-modified/lib/ python/Zope/__init__.py, line 221, in zpublisher_exception_hook (Object: Appl icationDefaultPermissions) File /usr/local/base/Zope-2.3.2-modified/lib/python/ ZPublisher/Publish.py, line 173, in publish File /usr/local/base/Zope-2.3.2-mod ified/lib/python/ZPublisher/HTTPResponse.py, line 308, in setBody File /usr/loc al/base/Zope-2.3.2-modified/lib/python/ZPublisher/HTTPResponse.py, line 547, in notFoundError NotFound: (see above)
--> Host has closed connection.
---[ Example 3 (Win32):
OPTIONS / HTTP/1.0 or NOTREALCOMMAND / HTTP/1.0
HTTP/1.0 404 Not Found Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServer/1.1b1 Date: Mon, 10 Sep 2001 15:06:43 GMT Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py Bobo-Exception-Type: Not Found Content-Type: text/html Location: http://SERVERNAME Bobo-Exception-Value: bobo exception Content-Length: 756 Bobo-Exception-Line: 122
<html><head><title>::</title></head><body bgcolor="#FFFFFF">
<h2>нЬХАЙЮ!</h2> <p>н ЬХАЙЮ ОПХ ОНОШРЙЕ НОСАКХЙНБЮРЭ ПЕЯСПЯ.</p> <hr noshade> </body></html> <!-- Tracebac k (innermost last): File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 223 , in publish_module File D:\INSTOC~1\lib\python\ZPublisher\Publish.py, line 187 , in publish File D:\INSTOC~1\lib\python\Zope\__init__.py, line 221, in zpublis her_exception_hook (Object: iVirtualHostBase) File D:\INSTOC~1\lib\python\ZP ublisher\Publish.py, line 162, in publish File D:\INSTOC~1\lib\python\ZPublishe r\BaseRequest.py, line 340, in traverse File D:\INSTOC~1\lib\python\webdav\Null Resource.py, line 122, in __bobo_traverse__ (Object: iVirtualHostBase) Not Fou nd: (see above)
--> Host has closed connection.
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
On Sun, Sep 23, 2001 at 10:36:33AM -0400, Paul Everitt wrote:
Do others consider this a vulnerability? While it reveals more information than people might want, I'm curious about scenarios under which it could be exploited.
If any of you know of something *specific*, meaning it's a genuinely exploitable vulnerability, please email me or Brian Lloyd (brian@zope.com) directly, rather than explain to the world how to do it. ... ...
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
Think about social engeniering. Knowing this sort of things, while this is not a vulnerability in itself, allows everybody to remotely know were Data.fs is. bye, Jerome Alet
Haven't we been complaining about this automatic appending of tracebacks for a while? To me this is what log files are for.... but Im not sure what this guy is on. I wouldnt count this as a "security vulnerability". ----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com> To: "Paul Everitt" <paul@zope.com>; "ALife" <buginfo@inbox.ru> Cc: <Zope-Dev@zope.org> Sent: Sunday, September 23, 2001 10:44 AM Subject: Re: [Zope-dev] Vulnerability in Zope
Do others consider this a vulnerability?
Yup... especially given the hard-coded (sigh) error page returned for authentication error gives out this information :-(
Chris
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
* Andy McKay <andym@ActiveState.com> [010924 01:11]:
Haven't we been complaining about this automatic appending of tracebacks for a while? To me this is what log files are for.... but Im not sure what this guy is on. I wouldnt count this as a "security vulnerability".
It's not an exploitable vulnerability (which is the only sort of vulnerability in my book ;) but it's as ugly as a warthog, and it would be nice to arrange things more gracefully. seb
----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com> To: "Paul Everitt" <paul@zope.com>; "ALife" <buginfo@inbox.ru> Cc: <Zope-Dev@zope.org> Sent: Sunday, September 23, 2001 10:44 AM Subject: Re: [Zope-dev] Vulnerability in Zope
Do others consider this a vulnerability?
Yup... especially given the hard-coded (sigh) error page returned for authentication error gives out this information :-(
Chris
seb bacon wrote:
* Andy McKay <andym@ActiveState.com> [010924 01:11]:
Haven't we been complaining about this automatic appending of tracebacks for a while? To me this is what log files are for.... but Im not sure what this guy is on. I wouldnt count this as a "security vulnerability".
It's not an exploitable vulnerability (which is the only sort of vulnerability in my book ;) but it's as ugly as a warthog, and it would be nice to arrange things more gracefully.
I just had a _really_ bad attack of Deja Vu reading this thread :-S Chris
On Sun, 2001-09-23 at 17:00, Andy McKay wrote:
[snip] Haven't we been complaining about this automatic appending of
tracebacks for
a while? To me this is what log files are for.... but Im not sure what this guy is on. I wouldnt count this as a "security vulnerability".
Hmm. It's 'side-band' information. Assuming that a cracker could get arbitrary code to run on the server through some other vulnerability (say a buffer overflow in some daemon), this information could be exploited to make their attack on the Zope installation more targeted. All this is assuming that the cracker in question is very clever, and has something in mind that is more subtle that simply shutting the server down, because if they can get arbitrary code to run on the server, it's toast anyway. An example of a subtle attack would be re-writing an e-commerce product so that any credit-card information would get silently copied and forwarded elsewhere. In short, the principle here is that *given* that some other vulnerability could give a cracker access to the server in some way, you still don't want to give them any more information on the server configuration than you have to. Michael Bernstein.
participants (7)
-
ALife -
Andy McKay -
Chris Withers -
Jerome Alet -
Michael R. Bernstein -
Paul Everitt -
seb bacon