[Zope-dev] Take the cgi-vulnerability patch serious!

[Joachim Werner]

Hi!

Normally I do not comment on security patches for Zope because they fix very
minor issues. The recent patch announced on
http://www.zope.org/Products/Zope/Hotfix_2001-07-25/security_alert is
different. We tested the exploit script provided at sourceforge, and it
immediately pushed any of our servers we tested it on to > 90% system load.
With two or three calls of the script, any Zope server (including all other
services running on the server) can be brought to a halt.

So please take care of your servers! The exploit is posted with the bug
report, and anybody who nows how to copy&paste and start a python script can
use it to stop any Zope server in the world that is unprotected. Moreover,
there seems to be an Opera bug that has the same effect ...

Cheers

iuveno AG

Joachim Werner
CEO