[Zope-dev] weak examples, weak exploits

Jamie Heilman jamie@audible.transient.net
Mon, 23 Jun 2003 01:20:35 -0700


http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt

This hit the full-disclosure list the other day.  Vulnerabilities 1
and 3 are moot and have been since the introduction of SiteErrorLog.
Although if the responsible parties had bothered digging a little
deeper they'd have found the BCI HTTP headers and likely thrown a fit.
Anyway, if you can wade your way past the all the spelling errors
you'll see the 0day exploits are your typical abuse of badly code web
apps, and apart from 1 and 3 there are probably legitimate bugs there.

Your predictable response: There's just examples. Uninstall them. They
shouldn't be left on a production system.

Sure, you know that, I know that, my cat knows that.  Joe Six Pack told
me he knew, but he didn't care.  Which tends to the be the consensus.
But thats no excuse to be shipping bad examples.  They should be
fixed, bad examples are worse than no examples at all.

I'll submit a fixed Examples.zexp but I need to know how its normally
prepared, ownership, etc.  Is there anything special I should do?

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly, she's 
 not for you." She was cheap, she was stupid and she wouldn't load 
 -- well, not for me, anyway."				-Holly