[Zope] HTTP Request Denial of Service Vulnerability

Chris McDonough chrism at plope.com
Sun Jul 19 22:42:35 EDT 2009


I have no idea who "Foundstone Labs" is, nor if the denial of service 
vulnerability they're talking about is indeed the one fixed by 
http://www.zope.org/advisories/advisory-2008-08-12/ but:

a) if it is, if you read it closely, you'll note that it's for Zope instances 
where untrusted users have unrestricted access to the ZMI and the ability to add 
Python Scripts.  Do you have such a setup?

b) Zope has historically been *very* secure; this company is utterly, 
completely, and hopelessly clueless (nor can they spell "sheer").  If you want 
*real* security horror, I'd suggest taking their advice and "upgrading" to any 
PHP based solution. ;-)

- C


On 7/19/09 10:06 PM, TsungWei Hu wrote:
> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
> security notice as follows. Is it sufficient to fix this just installing
> http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/
>
> = Name =
>
> Zope HTTP Request Denial of Service Vulnerability
>
> = Description =
>
> A vulnerability in Zope may allow a remote attacker to manually shutdown
> the system.
>
> = Observation =
>
> The Zope Web Content Management system has been identified with a
> critical denial of service vulnerability. A malicious attacker could
> manually shutdown the target system remotely via a custom web HTTP field
> request. This vulnerability is especially dangerous as the "kill" packet
> can be completely forged thereby increasing the difficulty when tracking
> would be intruders and attackers.
>
> = Recommendation =
>
> Although the Zope development environment is one of the largest and most
> widely supported open source web content management solutions, it has
> been plagued with exploitable vulnerabilities. Due to the nature of the
> software and shear number of vulnerabilities, Foundstone Labs recommends
> you consider utilizing a different content management solution and at a
> minimum upgrade your software. Zope updates can be freely downloaded
> from www.zope.org <http://www.zope.org>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>   http://mail.zope.org/mailman/listinfo/zope-announce
>   http://mail.zope.org/mailman/listinfo/zope-dev )



More information about the Zope mailing list