[Zope-dev] version status

Jamie Heilman jamie@audible.transient.net
Mon, 16 Jun 2003 13:33:00 -0700


Brian Lloyd wrote:
> Have you tested to ensure that the 2.6.2 (CVS) is still open to the 
> DoS? If so, could you give me a quick scenario that I could use to 
> reproduce it?

I haven't tested 2.6.2, I tested CVS HEAD, assuming the code change to
both was the validated_hook in Zope/App/startup.py then 2.6.2 is
vulnerable as well.  The hacky bash script I posted earlier was the
test I used, but you can test it just by going to a host running the
latest code and appending ?Zope-Version=foo to the URL.  If it creates
a new, persistent, zodb connection in the version foo, then you can be
had.  The rule of thumb is: if an anonymous client can force an
application server to store persistent data accross transactions, then
the server will be vulnerable to a DoS attack.

Shane Hathaway wrote:
> - Anonymous users can still open a versioned database connection 
>   (although now they can't use it)
> - Merely opening a versioned connection consumes resources
> - Zope does not free those resources as it should

100% correct.  Frankly I'm not entirely convinced anonymous users
should ever be able to open a zodb connection, but I have no
technical evidence to back that up, its just a hunch.
 
Oliver Bleutgen wrote:
> This is not purely aesthetical reasoning, since cookies can be trusted a 
> bit more than other variables coming from the request. You can't inject 
> them from third party sites, for instance.

Well actually you can inject them from 3rd party sites if the browser
is IE, but that probably doesn't come as a surprise to anyone, IE is
notoriously insecure.
 
Toby Dickenson wrote:
> Ive not tested Jims code, but it looks to me like it *should* stop that 
> attack. Have you tested it?

Yes, you get a 401 now, but by that time the damage has been done.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"It's almost impossible to overestimate the unimportance of most things."
							-John Logue