[ZCM] [ZC] 1964/ 4 Unrestrict "(repost of #1963) Condition to freeze Zope, DOS attack possible"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Wed Dec 14 09:29:45 EST 2005


Issue #1964 Update (Unrestrict) "(repost of #1963) Condition to freeze Zope, DOS attack possible"
 ** Security Related ** (Public)
 Status Pending, Zope/bug medium
To followup, visit:
  http://www.zope.org/Collectors/Zope/1964

==============================================================
= Unrestrict_pending - Entry #4 by chrisw on Dec 14, 2005 9:29 am

This doesn't need to be hidden.
________________________________________
= Comment - Entry #3 by ajung on Dec 7, 2005 6:09 am

According to our posting you must have a file-system based product implementing the DELETE method. This possibly a problem but I don't consider it as a critical problem..
________________________________________
= Edit - Entry #2 by ajung on Dec 7, 2005 6:07 am

 Changes: submitter email, importance (critical => medium)
________________________________________
= Request - Entry #1 by rnd0000 on Dec 7, 2005 5:50 am

(I'm sorry to repost it, but now I have member account and (hopefully) can add comments)

I have an object Y with .DELETE() method in a folder X. Then I allowed Anonymous to delete objects in X and also webdav access to the folder X. (Object Y is an instance of ExtImage subclass (and is added as a product), but this is not probably important)

After that, this kind of request to Zope's 8080 (or 8282) port make it freeze:

DELETE /path/to/object/X/Y HTTP/1.1
Host: myhost.myorg.org
Content-Type: application/myprotocol+xml


(at first I received "not authorised" without any problems, but when I allowed to delete objects,

The behaviour is completely reproducible at least on two platfroms with Zope 2.7.8 (final).

Surely, this is not only a bug but a security issue leading to DOS attack, IMHO.


>>
>
>>>> Traceback (most recent call last):
>>>>   File "/usr/local/lib/python2.3/logging/__init__.py", line 674, in emit
>>>>     msg = self.format(record)
>>>>   File "/usr/local/lib/python2.3/logging/__init__.py", line 567, in format
>>>>     return fmt.format(record)
>>>>   File "/usr/local/lib/python2.3/logging/__init__.py", line 369, in format
>>>>     s = s + self.formatException(record.exc_info)
>>>>   File "/usr/local/lib/python2.3/logging/__init__.py", line 342, in
>>>> formatException
>>>>     traceback.print_exception(ei[0], ei[1], ei[2], None, sio)
>>>>   File "/usr/local/lib/python2.3/traceback.py", line 123, in print_exception
>>>>     print_tb(tb, limit, file)
>>>>   File "/usr/local/lib/python2.3/traceback.py", line 68, in print_tb
>>>>     line = linecache.getline(filename, lineno)
>>>>   File "/usr/local/lib/python2.3/linecache.py", line 14, in getline
>>>>     lines = getlines(filename)
>>>> RuntimeError: maximum recursion depth exceeded



(I am not sure how to get more traceback lines...)

This error is reproducible 100%, on both Mac OS X and Linux (Fedora Core 4).
Zope stops to process all requests.


How to reproduce it:

1. Add the following method to, for example, ExtImage class of ExtFile product:


    def DELETE(self, REQUEST):                                                  
        """ delete trial"""                                                     
        ExtImage.DELETE(self, REQUEST)                                          
        return "OK"                                                             

2. Restart Zope or Refresh the product so the change will take affect

3. Put an ExtImage with ID (for example) 3_jpg into some folder (eg, /tst) where there are Anonymous users are allowed WebDav access and allowed to delete objects (not sure if WebDAV access right is needed)

4. Then the following script causes Zope to freeze (in my case /tst folder was used) 

#!/usr/bin/python

import sys
import socket

header = """DELETE /tst/3_jpg HTTP/1.1
Host: some.server.org
User-Agent: Client
Content-Type: application/xml

"""
###########
if 1:
    header = header.replace('\n', '\r\n')
    HOST = "localhost"
    PORT = 8282
###########

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print s.connect((HOST, PORT))
print s.send(header)
data = s.recv(1024)
s.close()
print 'Received', `data`

sys.exit(0)
# end of script


N.B. If I do not add my own .DELETE(), object just get deleted without problems!
Also, if I remove ExtImage.DELETE(self, REQUEST) from the method, I just receive OK from the server.
Please also not that 
Host: some.server.org
contains arbitrary hostname. I do not dare to check if the problem persists if the correct hostname is used
(I do not have spare server to try to freeze)

This issue could be a security problem for hostings where own classes are allowed.

I do not have any special arrangements for logging: just Z2.log and event.log (that is the error appears on out-of-the-box setup with ExtFile (or maybe other product of the kind) installed)

==============================================================



More information about the Zope-Collector-Monitor mailing list