Hello all - We have recently become aware of two important security issues that managers of Zope sites need to be aware of. Please see the overview at: http://www.zope.org/Members/jim/ZopeSecurity/TrojanIssueOverview for further details. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
Uhmm; what about this idea? On every action-selection (management) menu, for example, the contents view of a folder; generate a (fairly or completely) random key. action-selection menu: Menu from where actions can be performed, i.e. DTMLMethods deleted, etc. This value gets stored in some sort of table, and expires after x*n minutes. In the table there's a reference to where the key was generated and by whom. Now, when somebody deletes something, the random key is checked against the table.. This could be a good idea... This isn't a well formulated idea, simply a spark of Zen (or something) =).. -Morten
I recently re-installed zope to run as a NT Service. Today I rebooted the server and a dos window remains open after Zope has started. It is a window running Python.exe. I have not seen this before. Pages seem to be loading OK. Before rebooting I had stopped Zope via the Service Manager. When I tried to restart the same same Dos window opened and behaved like it was in a loop of sorts. One window was coninuously replaced by another over and over again. Ocassionally I could se a traceback message but thatg window would be replaced by a new one too quickly to see what was happening. Has any one seen this behaviour? My server has been restarted for 30 minutes now and, apparently, a permanent Python DOS box is open on the desktop. In the Service Control Manage and under start-up properties, Interact with Desktop is checked. Would this cause this? (Though the dos window was not there when I logged on this morning) Thanks, hisnibs ----- Original Message ----- From: "Morten W. Petersen" <morten@src.no> To: "Brian Lloyd" <Brian@digicool.com> Cc: <zope@zope.org>; <zope-dev@zope.org> Sent: Wednesday, May 10, 2000 7:25 AM Subject: [Zope] Re: [Zope-dev] Zope security alert and 2.2 information
Uhmm; what about this idea?
On every action-selection (management) menu, for example, the contents view of a folder; generate a (fairly or completely) random key.
action-selection menu:
Menu from where actions can be performed, i.e. DTMLMethods deleted, etc.
This value gets stored in some sort of table, and expires after x*n minutes. In the table there's a reference to where the key was generated and by whom.
Now, when somebody deletes something, the random key is checked against the table..
This could be a good idea...
This isn't a well formulated idea, simply a spark of Zen (or something) =)..
-Morten
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Yep, the interact with desktop would cause this, try turning it off and see what happens. hth Phil phil.harris@zope.co.uk ----- Original Message ----- From: "J. Michael Mc Kay" <admin@ihosts.net> Cc: <zope@zope.org> Sent: Wednesday, May 10, 2000 1:57 PM Subject: [Zope] Some Wierdness starting Zope
I recently re-installed zope to run as a NT Service. Today I rebooted the server and a dos window remains open after Zope has started. It is a window running Python.exe. I have not seen this before. Pages seem to be loading OK. Before rebooting I had stopped Zope via the Service Manager. When I tried to restart the same same Dos window opened and behaved like it was in a loop of sorts. One window was coninuously replaced by another over and over again. Ocassionally I could se a traceback message but thatg window would be replaced by a new one too quickly to see what was happening.
Has any one seen this behaviour? My server has been restarted for 30 minutes now and, apparently, a permanent Python DOS box is open on the desktop.
In the Service Control Manage and under start-up properties, Interact with Desktop is checked. Would this cause this? (Though the dos window was not there when I logged on this morning)
Thanks,
hisnibs ----- Original Message ----- From: "Morten W. Petersen" <morten@src.no> To: "Brian Lloyd" <Brian@digicool.com> Cc: <zope@zope.org>; <zope-dev@zope.org> Sent: Wednesday, May 10, 2000 7:25 AM Subject: [Zope] Re: [Zope-dev] Zope security alert and 2.2 information
Uhmm; what about this idea?
On every action-selection (management) menu, for example, the contents view of a folder; generate a (fairly or completely) random key.
action-selection menu:
Menu from where actions can be performed, i.e. DTMLMethods deleted, etc.
This value gets stored in some sort of table, and expires after x*n minutes. In the table there's a reference to where the key was generated and by whom.
Now, when somebody deletes something, the random key is checked against the table..
This could be a good idea...
This isn't a well formulated idea, simply a spark of Zen (or something) =)..
-Morten
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Yes.... That was it. Thanks, A little like a toastio this week, hisnibs ----- Original Message ----- From: "Phil Harris" <phil.harris@zope.co.uk> To: "J. Michael Mc Kay" <admin@ihosts.net> Cc: <zope@zope.org> Sent: Wednesday, May 10, 2000 9:22 AM Subject: Re: [Zope] Some Wierdness starting Zope
Yep, the interact with desktop would cause this, try turning it off and see what happens.
hth
Phil phil.harris@zope.co.uk
----- Original Message ----- From: "J. Michael Mc Kay" <admin@ihosts.net> Cc: <zope@zope.org> Sent: Wednesday, May 10, 2000 1:57 PM Subject: [Zope] Some Wierdness starting Zope
I recently re-installed zope to run as a NT Service. Today I rebooted the server and a dos window remains open after Zope has started. It is a window running Python.exe. I have not seen this before. Pages seem to be loading OK. Before rebooting I had stopped Zope via the Service Manager. When I tried to restart the same same Dos window opened and behaved like it was in a loop of sorts. One window was coninuously replaced by another over and over again. Ocassionally I could se a traceback message but thatg window would be replaced by a new one too quickly to see what was happening.
Has any one seen this behaviour? My server has been restarted for 30 minutes now and, apparently, a permanent Python DOS box is open on the desktop.
In the Service Control Manage and under start-up properties, Interact with Desktop is checked. Would this cause this? (Though the dos window was not there when I logged on this morning)
Thanks,
hisnibs ----- Original Message ----- From: "Morten W. Petersen" <morten@src.no> To: "Brian Lloyd" <Brian@digicool.com> Cc: <zope@zope.org>; <zope-dev@zope.org> Sent: Wednesday, May 10, 2000 7:25 AM Subject: [Zope] Re: [Zope-dev] Zope security alert and 2.2 information
Uhmm; what about this idea?
On every action-selection (management) menu, for example, the contents view of a folder; generate a (fairly or completely) random key.
action-selection menu:
Menu from where actions can be performed, i.e. DTMLMethods deleted, etc.
This value gets stored in some sort of table, and expires after x*n minutes. In the table there's a reference to where the key was generated and by whom.
Now, when somebody deletes something, the random key is checked against the table..
This could be a good idea...
This isn't a well formulated idea, simply a spark of Zen (or something) =)..
-Morten
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
May or not be related but I had a problem when I upgraded from 2.1.0 to 2.1.6 on NT. Doing the original installation I took the default name "website" for the name of the zope server, when I upgraded I used the name 'zope'. I ended up with two services running and python using 100% of the machine resources. It was obvious because I had two zope services running and I just stopped the 'website' service and all was OK. HTH Richard At 08:57 10/05/00 -0400, you wrote:
I recently re-installed zope to run as a NT Service. Today I rebooted the server and a dos window remains open after Zope has started. It is a window running Python.exe. I have not seen this before. Pages seem to be loading OK. Before rebooting I had stopped Zope via the Service Manager. When I tried to restart the same same Dos window opened and behaved like it was in a loop of sorts. One window was coninuously replaced by another over and over again. Ocassionally I could se a traceback message but thatg window would be replaced by a new one too quickly to see what was happening.
Has any one seen this behaviour? My server has been restarted for 30 minutes now and, apparently, a permanent Python DOS box is open on the desktop.
In the Service Control Manage and under start-up properties, Interact with Desktop is checked. Would this cause this? (Though the dos window was not there when I logged on this morning)
Thanks,
hisnibs ----- Original Message ----- From: "Morten W. Petersen" <morten@src.no> To: "Brian Lloyd" <Brian@digicool.com> Cc: <zope@zope.org>; <zope-dev@zope.org> Sent: Wednesday, May 10, 2000 7:25 AM Subject: [Zope] Re: [Zope-dev] Zope security alert and 2.2 information
Uhmm; what about this idea?
On every action-selection (management) menu, for example, the contents view of a folder; generate a (fairly or completely) random key.
action-selection menu:
Menu from where actions can be performed, i.e. DTMLMethods deleted, etc.
This value gets stored in some sort of table, and expires after x*n minutes. In the table there's a reference to where the key was generated and by whom.
Now, when somebody deletes something, the random key is checked against the table..
This could be a good idea...
This isn't a well formulated idea, simply a spark of Zen (or something) =)..
-Morten
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Richard Moon richard@dcs.co.uk
I recently re-installed zope to run as a NT Service. Today I rebooted the server and a dos window remains open after Zope has started. It is a window running Python.exe. I have not seen this before. Pages seem to be loading OK. Before rebooting I had stopped Zope via the Service Manager. When I tried to restart the same same Dos window opened and behaved like it was in a loop of sorts. One window was coninuously replaced by another over and over again. Ocassionally I could se a traceback message but thatg window would be replaced by a new one too quickly to see what was happening.
This suggests to me you might have the same phenomenon I experienced two days earlier. I had two Zope installs: 2.0.1 and 2.1.3. A week ago we had a MSSQLServer 7.0 crash. After rebooting the NT Server MSSQLServer was back, but our Zope 2.0.1 install was not available anymore. The 2.1.3 service was servicing al right. The python processes used 100% cpu time al of the time because zope was restarting continuously. A reinstall of zope 2.0.1 started manually showed that it died in a winsock error. Eventually we installed 2.1.6 and the problem was gone. I don't know why. cb
Has any one seen this behaviour? My server has been restarted for 30 minutes now and, apparently, a permanent Python DOS box is open on the desktop.
In the Service Control Manage and under start-up properties, Interact with Desktop is checked. Would this cause this? (Though the dos window was not there when I logged on this morning)
Thanks,
hisnibs
participants (6)
-
Brian Lloyd -
Cornelis J. de Brabander -
J. Michael Mc Kay -
Morten W. Petersen -
Phil Harris -
Richard Moon