[Zope] Script (Python) insecure ?
Andreas Jung
lists at zopyx.com
Tue Aug 12 10:05:47 EDT 2008
--On 12. August 2008 14:16:44 +0200 Andreas Jung <lists at zopyx.com> wrote:
> *sigh*
>
> I wished that both exploits were reported to the Zope bugtracker in order
> to work on solutions before making the exploits public.
>
>
> --On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <mal at egenix.com>
> wrote:
>
>> Hello,
>
>
>
>>
>> 1. Attack:
>>
>> Put this into a "Script (Python)" object and run it:
>>
>> return 'kaboom'.encode('test.testall')
>>
>> This results in a denial-of-service, since Zope will hang
>> running the Python test suite.
>>
>> The reason for this is a problem in the way the encoding search
>> function works in Python 2.4. This was changed in 2.5 to no longer
>> allow searching for codecs outside the encodings package.
>
> That's pretty obscure behavior of Python 2.4...anyway.
The followup for this issue is also on Launchpad including a possible
solution:
<https://bugs.launchpad.net/zope2/+bug/257276>
The patches/monkey patches for both issues need review and testing.
I am now working on a security advisory.
For the hotfixes and testing I need definitely help since I am the road for
the rest of the week and pretty busy and limited network connectivity.
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20080812/6fb40c76/attachment.bin
More information about the Zope
mailing list