[Zope] HTTP Request Denial of Service Vulnerability

Chris McDonough chrism at plope.com
Sun Jul 19 22:55:38 EDT 2009 

I just sent the below via http://www.foundstone.com/us/contact-form.aspx .  I'd 
suggest that others do the same; this company is totally wrong about this 
conclusion...

You recently issued a security warning to the effect:

"""
= Name =

Zope HTTP Request Denial of Service Vulnerability

= Description =

A vulnerability in Zope may allow a remote attacker to manually shutdown the system.

= Observation =

The Zope Web Content Management system has been identified with a critical 
denial of service vulnerability. A malicious attacker could manually shutdown 
the target system remotely via a custom web HTTP field request. This 
vulnerability is especially dangerous as the "kill" packet can be completely 
forged thereby increasing the difficulty when tracking would be intruders and 
attackers.

= Recommendation =

Although the Zope development environment is one of the largest and most widely 
supported open source web content management solutions, it has been plagued with 
exploitable vulnerabilities. Due to the nature of the software and shear number 
of vulnerabilities, Foundstone Labs recommends you consider utilizing a 
different content management solution and at a minimum upgrade your software. 
Zope updates can be freely downloaded from www.zope.org
"""

Your conclusion here is wrong.  This particular "vulnerability" is for Zope 
installations who offer the ability for *untrusted users* to add code through 
the web.  This is not the default setup; a user needs to explicitly enable such 
a setup. The conclusion is akin to saying that people should not use Zope 
because they might do something bad to Zope if they have access to the 
administrative interface.  This is the case with *any* application server or 
content management system.

I'd suggest getting a little more knowledge about your material before scaring 
folks.  The Zope folks do full-disclosure of all vulnerabilities; it's up to you 
to discern the "scary" ones from the "ho hum" ones. This is definitely a ho-hum 
one, and in no way deserves this conclusion.

On 7/19/09 10:42 PM, Chris McDonough wrote:
> I have no idea who "Foundstone Labs" is, nor if the denial of service
> vulnerability they're talking about is indeed the one fixed by
> http://www.zope.org/advisories/advisory-2008-08-12/ but:
>
> a) if it is, if you read it closely, you'll note that it's for Zope instances
> where untrusted users have unrestricted access to the ZMI and the ability to add
> Python Scripts.  Do you have such a setup?
>
> b) Zope has historically been *very* secure; this company is utterly,
> completely, and hopelessly clueless (nor can they spell "sheer").  If you want
> *real* security horror, I'd suggest taking their advice and "upgrading" to any
> PHP based solution. ;-)
>
> - C
>
>
> On 7/19/09 10:06 PM, TsungWei Hu wrote:
>> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
>> security notice as follows. Is it sufficient to fix this just installing
>> http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/
>>
>> = Name =
>>
>> Zope HTTP Request Denial of Service Vulnerability
>>
>> = Description =
>>
>> A vulnerability in Zope may allow a remote attacker to manually shutdown
>> the system.
>>
>> = Observation =
>>
>> The Zope Web Content Management system has been identified with a
>> critical denial of service vulnerability. A malicious attacker could
>> manually shutdown the target system remotely via a custom web HTTP field
>> request. This vulnerability is especially dangerous as the "kill" packet
>> can be completely forged thereby increasing the difficulty when tracking
>> would be intruders and attackers.
>>
>> = Recommendation =
>>
>> Although the Zope development environment is one of the largest and most
>> widely supported open source web content management solutions, it has
>> been plagued with exploitable vulnerabilities. Due to the nature of the
>> software and shear number of vulnerabilities, Foundstone Labs recommends
>> you consider utilizing a different content management solution and at a
>> minimum upgrade your software. Zope updates can be freely downloaded
>> from www.zope.org<http://www.zope.org>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Zope maillist  -  Zope at zope.org
>> http://mail.zope.org/mailman/listinfo/zope
>> **   No cross posts or HTML encoding!  **
>> (Related lists -
>>    http://mail.zope.org/mailman/listinfo/zope-announce
>>    http://mail.zope.org/mailman/listinfo/zope-dev )
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>   http://mail.zope.org/mailman/listinfo/zope-announce
>   http://mail.zope.org/mailman/listinfo/zope-dev )
>

More information about the Zope mailing list