[Zope-dev] Take the cgi-vulnerability patch serious!
Brian Lloyd
brian@digicool.com
Thu, 26 Jul 2001 13:12:17 -0400
> Normally I do not comment on security patches for Zope because
> they fix very
> minor issues. The recent patch announced on
> http://www.zope.org/Products/Zope/Hotfix_2001-07-25/security_alert is
> different. We tested the exploit script provided at sourceforge, and it
> immediately pushed any of our servers we tested it on to > 90%
> system load.
> With two or three calls of the script, any Zope server (including
> all other
> services running on the server) can be brought to a halt.
Note that people running other Python-based Web systems that use
cgi.py should also be paying attention to this. I don't know if
WebWare or other larger web systems use cgi.py for form parsing,
but I'm sure most plain Python cgi scripts do.
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations www.digicool.com