[Zope] Script (Python) insecure ?

M.-A. Lemburg mal at egenix.com
Tue Aug 12 07:41:04 EDT 2008


after Chris Withers lightning talk at EPC 2008 I had a closer look
at the implementation of Python Scripts in Zope 2.11.

While I have not yet been able to break out of the restricted
environment without help from installed products, there are a few
denial-of-service attacks which can easily be deployed on sites
allowing adding Python Scripts to a user folder:

1. Attack:

Put this into a "Script (Python)" object and run it:

return 'kaboom'.encode('test.testall')

This results in a denial-of-service, since Zope will hang
running the Python test suite.

The reason for this is a problem in the way the encoding search
function works in Python 2.4. This was changed in 2.5 to no longer
allow searching for codecs outside the encodings package.

2. Attack:

Put this into a "Script (Python)" object and run it:

raise SystemExit

This shuts down Zope.

The Python Script environment should obviously catch such exceptions
and not let them propagate up the call stack.

I found the second attack rather surprising, as it doesn't require
deep knowledge about Python's interna.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Aug 12 2008)
 >>> Python/Zope Consulting and Support ...        http://www.egenix.com/
 >>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::

    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
            Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Zope mailing list