[Zope] Script (Python) insecure ?
M.-A. Lemburg
mal at egenix.com
Tue Aug 12 07:41:04 EDT 2008
Hello,
after Chris Withers lightning talk at EPC 2008 I had a closer look
at the implementation of Python Scripts in Zope 2.11.
While I have not yet been able to break out of the restricted
environment without help from installed products, there are a few
denial-of-service attacks which can easily be deployed on sites
allowing adding Python Scripts to a user folder:
1. Attack:
Put this into a "Script (Python)" object and run it:
return 'kaboom'.encode('test.testall')
This results in a denial-of-service, since Zope will hang
running the Python test suite.
The reason for this is a problem in the way the encoding search
function works in Python 2.4. This was changed in 2.5 to no longer
allow searching for codecs outside the encodings package.
2. Attack:
Put this into a "Script (Python)" object and run it:
raise SystemExit
This shuts down Zope.
The Python Script environment should obviously catch such exceptions
and not let them propagate up the call stack.
I found the second attack rather surprising, as it doesn't require
deep knowledge about Python's interna.
Regards,
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Aug 12 2008)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Zope
mailing list