[Zope] Script (Python) insecure ?
Garito
garito at sistes.net
Tue Aug 12 09:08:47 EDT 2008
The same question again and again
As a Zope user I prefer to know as soon as possible if Zope has security
problems like those
Perhaps the correct way will be to send the problem to the zope people and 2
weeks later then make it public
I think 2 weeks is a very correct period to solve a problem if not, I want
to try to solve the problem for myself
But I shout my mouth, sorry Andreas ;)
2008/8/12 Andreas Jung <lists at zopyx.com>
> *sigh*
>
> I wished that both exploits were reported to the Zope bugtracker in order
> to work on solutions before making the exploits public.
>
>
> --On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <mal at egenix.com>
> wrote:
>
> Hello,
>>
>
>
>
>
>> 1. Attack:
>>
>> Put this into a "Script (Python)" object and run it:
>>
>> return 'kaboom'.encode('test.testall')
>>
>> This results in a denial-of-service, since Zope will hang
>> running the Python test suite.
>>
>> The reason for this is a problem in the way the encoding search
>> function works in Python 2.4. This was changed in 2.5 to no longer
>> allow searching for codecs outside the encodings package.
>>
>
> That's pretty obscure behavior of Python 2.4...anyway.
>
>
>
>>
>> 2. Attack:
>>
>> Put this into a "Script (Python)" object and run it:
>>
>> raise SystemExit
>>
>> This shuts down Zope.
>>
>> The Python Script environment should obviously catch such exceptions
>> and not let them propagate up the call stack.
>>
>>
> See the followup on
>
> <https://bugs.launchpad.net/zope2/+bug/257269>
>
> There is a patch available that solves the problem.
>
> Andreas
>
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
>
--
Mis Cosas
http://blogs.sistes.net/Garito
Zope Smart Manager
http://blogs.sistes.net/Garito/670
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20080812/437da98b/attachment.html
More information about the Zope
mailing list