[ZCM] [ZC] 1963/ 3 Reject "Condition to freeze Zope, DOS attack possible"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Wed Dec 7 06:06:30 EST 2005 

Issue #1963 Update (Reject) "Condition to freeze Zope, DOS attack possible"
 ** Security Related ** (Public)
 Status Rejected, Zope/bug critical
To followup, visit:
  http://www.zope.org/Collectors/Zope/1963

==============================================================
= Reject - Entry #3 by ajung on Dec 7, 2005 6:06 am

 Status: Pending => Rejected

Dupe of #1964
________________________________________
= Comment - Entry #2 by ajung on Dec 6, 2005 11:48 am

Please provide a testcase/code.
________________________________________
= Request - Entry #1 by Anonymous User on Dec 6, 2005 11:44 am


I have an object Y with .DELETE() method in a folder X. Then I allowed Anonymous to delete objects in X and also webdav access to the folder X. (Object Y is an instance of ExtImage subclass (and is added as a product), but this is not probably important)

After that, this kind of request to Zope's 8080 (or 8282) port make it freeze:

DELETE /path/to/object/X/Y HTTP/1.1
Host: myhost.myorg.org
Content-Type: application/myprotocol+xml


(at first I received "not authorised" without any problems, but when I allowed to delete objects,

The behaviour is completely reproducible at least on two platfroms with Zope 2.7.8 (final).

Surely, this is not only a bug but a security issue leading to DOS attack, IMHO.

>
>> Traceback (most recent call last):
>>   File "/usr/local/lib/python2.3/logging/__init__.py", line 674, in emit
>>     msg = self.format(record)
>>   File "/usr/local/lib/python2.3/logging/__init__.py", line 567, in format
>>     return fmt.format(record)
>>   File "/usr/local/lib/python2.3/logging/__init__.py", line 369, in format
>>     s = s + self.formatException(record.exc_info)
>>   File "/usr/local/lib/python2.3/logging/__init__.py", line 342, in
>> formatException
>>     traceback.print_exception(ei[0], ei[1], ei[2], None, sio)
>>   File "/usr/local/lib/python2.3/traceback.py", line 123, in print_exception
>>     print_tb(tb, limit, file)
>>   File "/usr/local/lib/python2.3/traceback.py", line 68, in print_tb
>>     line = linecache.getline(filename, lineno)
>>   File "/usr/local/lib/python2.3/linecache.py", line 14, in getline
>>     lines = getlines(filename)
>> RuntimeError: maximum recursion depth exceeded


(I am not sure how to get more traceback lines...)

This error is reproducible 100%, on both Mac OS X and Linux (Fedora Core 4).
Zope stops to process all requests.

==============================================================

More information about the Zope-Collector-Monitor mailing list