[Zope] HTTP Request Denial of Service Vulnerability
Chris McDonough
chrism at plope.com
Sun Jul 19 22:55:38 EDT 2009
I just sent the below via http://www.foundstone.com/us/contact-form.aspx . I'd
suggest that others do the same; this company is totally wrong about this
conclusion...
You recently issued a security warning to the effect:
"""
= Name =
Zope HTTP Request Denial of Service Vulnerability
= Description =
A vulnerability in Zope may allow a remote attacker to manually shutdown the system.
= Observation =
The Zope Web Content Management system has been identified with a critical
denial of service vulnerability. A malicious attacker could manually shutdown
the target system remotely via a custom web HTTP field request. This
vulnerability is especially dangerous as the "kill" packet can be completely
forged thereby increasing the difficulty when tracking would be intruders and
attackers.
= Recommendation =
Although the Zope development environment is one of the largest and most widely
supported open source web content management solutions, it has been plagued with
exploitable vulnerabilities. Due to the nature of the software and shear number
of vulnerabilities, Foundstone Labs recommends you consider utilizing a
different content management solution and at a minimum upgrade your software.
Zope updates can be freely downloaded from www.zope.org
"""
Your conclusion here is wrong. This particular "vulnerability" is for Zope
installations who offer the ability for *untrusted users* to add code through
the web. This is not the default setup; a user needs to explicitly enable such
a setup. The conclusion is akin to saying that people should not use Zope
because they might do something bad to Zope if they have access to the
administrative interface. This is the case with *any* application server or
content management system.
I'd suggest getting a little more knowledge about your material before scaring
folks. The Zope folks do full-disclosure of all vulnerabilities; it's up to you
to discern the "scary" ones from the "ho hum" ones. This is definitely a ho-hum
one, and in no way deserves this conclusion.
On 7/19/09 10:42 PM, Chris McDonough wrote:
> I have no idea who "Foundstone Labs" is, nor if the denial of service
> vulnerability they're talking about is indeed the one fixed by
> http://www.zope.org/advisories/advisory-2008-08-12/ but:
>
> a) if it is, if you read it closely, you'll note that it's for Zope instances
> where untrusted users have unrestricted access to the ZMI and the ability to add
> Python Scripts. Do you have such a setup?
>
> b) Zope has historically been *very* secure; this company is utterly,
> completely, and hopelessly clueless (nor can they spell "sheer"). If you want
> *real* security horror, I'd suggest taking their advice and "upgrading" to any
> PHP based solution. ;-)
>
> - C
>
>
> On 7/19/09 10:06 PM, TsungWei Hu wrote:
>> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
>> security notice as follows. Is it sufficient to fix this just installing
>> http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/
>>
>> = Name =
>>
>> Zope HTTP Request Denial of Service Vulnerability
>>
>> = Description =
>>
>> A vulnerability in Zope may allow a remote attacker to manually shutdown
>> the system.
>>
>> = Observation =
>>
>> The Zope Web Content Management system has been identified with a
>> critical denial of service vulnerability. A malicious attacker could
>> manually shutdown the target system remotely via a custom web HTTP field
>> request. This vulnerability is especially dangerous as the "kill" packet
>> can be completely forged thereby increasing the difficulty when tracking
>> would be intruders and attackers.
>>
>> = Recommendation =
>>
>> Although the Zope development environment is one of the largest and most
>> widely supported open source web content management solutions, it has
>> been plagued with exploitable vulnerabilities. Due to the nature of the
>> software and shear number of vulnerabilities, Foundstone Labs recommends
>> you consider utilizing a different content management solution and at a
>> minimum upgrade your software. Zope updates can be freely downloaded
>> from www.zope.org<http://www.zope.org>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Zope maillist - Zope at zope.org
>> http://mail.zope.org/mailman/listinfo/zope
>> ** No cross posts or HTML encoding! **
>> (Related lists -
>> http://mail.zope.org/mailman/listinfo/zope-announce
>> http://mail.zope.org/mailman/listinfo/zope-dev )
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
More information about the Zope
mailing list