[Zope] Script (Python) insecure ?
Andreas Jung
lists at zopyx.com
Tue Aug 12 08:16:44 EDT 2008
*sigh*
I wished that both exploits were reported to the Zope bugtracker in order
to work on solutions before making the exploits public.
--On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <mal at egenix.com> wrote:
> Hello,
>
> 1. Attack:
>
> Put this into a "Script (Python)" object and run it:
>
> return 'kaboom'.encode('test.testall')
>
> This results in a denial-of-service, since Zope will hang
> running the Python test suite.
>
> The reason for this is a problem in the way the encoding search
> function works in Python 2.4. This was changed in 2.5 to no longer
> allow searching for codecs outside the encodings package.
That's pretty obscure behavior of Python 2.4...anyway.
>
>
> 2. Attack:
>
> Put this into a "Script (Python)" object and run it:
>
> raise SystemExit
>
> This shuts down Zope.
>
> The Python Script environment should obviously catch such exceptions
> and not let them propagate up the call stack.
>
See the followup on
<https://bugs.launchpad.net/zope2/+bug/257269>
There is a patch available that solves the problem.
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20080812/38570c5f/attachment.bin
More information about the Zope
mailing list