[Zope] HTTP Request Denial of Service Vulnerability

Ricardo Newbery ric at digitalmarbles.com
Sun Jul 19 23:45:41 EDT 2009


It might be premature to blame this on Foundstone.  I can't seem to  
find this security advisory online at all.  No advisory id was  
included nor any reference at all and the recommendation doesn't look  
at all like what usually comes from a legit advisory.  I smeil a fake.

Ric



On Jul 19, 2009, at 7:55 PM, Chris McDonough wrote:

> I just sent the below via http://www.foundstone.com/us/contact-form.aspx 
>  .  I'd
> suggest that others do the same; this company is totally wrong about  
> this
> conclusion...
>
> You recently issued a security warning to the effect:
>
> """
> = Name =
>
> Zope HTTP Request Denial of Service Vulnerability
>
> = Description =
>
> A vulnerability in Zope may allow a remote attacker to manually  
> shutdown the system.
>
> = Observation =
>
> The Zope Web Content Management system has been identified with a  
> critical
> denial of service vulnerability. A malicious attacker could manually  
> shutdown
> the target system remotely via a custom web HTTP field request. This
> vulnerability is especially dangerous as the "kill" packet can be  
> completely
> forged thereby increasing the difficulty when tracking would be  
> intruders and
> attackers.
>
> = Recommendation =
>
> Although the Zope development environment is one of the largest and  
> most widely
> supported open source web content management solutions, it has been  
> plagued with
> exploitable vulnerabilities. Due to the nature of the software and  
> shear number
> of vulnerabilities, Foundstone Labs recommends you consider  
> utilizing a
> different content management solution and at a minimum upgrade your  
> software.
> Zope updates can be freely downloaded from www.zope.org
> """
>
> Your conclusion here is wrong.  This particular "vulnerability" is  
> for Zope
> installations who offer the ability for *untrusted users* to add  
> code through
> the web.  This is not the default setup; a user needs to explicitly  
> enable such
> a setup. The conclusion is akin to saying that people should not use  
> Zope
> because they might do something bad to Zope if they have access to the
> administrative interface.  This is the case with *any* application  
> server or
> content management system.
>
> I'd suggest getting a little more knowledge about your material  
> before scaring
> folks.  The Zope folks do full-disclosure of all vulnerabilities;  
> it's up to you
> to discern the "scary" ones from the "ho hum" ones. This is  
> definitely a ho-hum
> one, and in no way deserves this conclusion.
>
> On 7/19/09 10:42 PM, Chris McDonough wrote:
>> I have no idea who "Foundstone Labs" is, nor if the denial of service
>> vulnerability they're talking about is indeed the one fixed by
>> http://www.zope.org/advisories/advisory-2008-08-12/ but:
>>
>> a) if it is, if you read it closely, you'll note that it's for Zope  
>> instances
>> where untrusted users have unrestricted access to the ZMI and the  
>> ability to add
>> Python Scripts.  Do you have such a setup?
>>
>> b) Zope has historically been *very* secure; this company is utterly,
>> completely, and hopelessly clueless (nor can they spell "sheer").   
>> If you want
>> *real* security horror, I'd suggest taking their advice and  
>> "upgrading" to any
>> PHP based solution. ;-)
>>
>> - C
>>
>>
>> On 7/19/09 10:06 PM, TsungWei Hu wrote:
>>> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
>>> security notice as follows. Is it sufficient to fix this just  
>>> installing
>>> http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/
>>>
>>> = Name =
>>>
>>> Zope HTTP Request Denial of Service Vulnerability
>>>
>>> = Description =
>>>
>>> A vulnerability in Zope may allow a remote attacker to manually  
>>> shutdown
>>> the system.
>>>
>>> = Observation =
>>>
>>> The Zope Web Content Management system has been identified with a
>>> critical denial of service vulnerability. A malicious attacker could
>>> manually shutdown the target system remotely via a custom web HTTP  
>>> field
>>> request. This vulnerability is especially dangerous as the "kill"  
>>> packet
>>> can be completely forged thereby increasing the difficulty when  
>>> tracking
>>> would be intruders and attackers.
>>>
>>> = Recommendation =
>>>
>>> Although the Zope development environment is one of the largest  
>>> and most
>>> widely supported open source web content management solutions, it  
>>> has
>>> been plagued with exploitable vulnerabilities. Due to the nature  
>>> of the
>>> software and shear number of vulnerabilities, Foundstone Labs  
>>> recommends
>>> you consider utilizing a different content management solution and  
>>> at a
>>> minimum upgrade your software. Zope updates can be freely downloaded
>>> from www.zope.org<http://www.zope.org>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Zope maillist  -  Zope at zope.org
>>> http://mail.zope.org/mailman/listinfo/zope
>>> **   No cross posts or HTML encoding!  **
>>> (Related lists -
>>>   http://mail.zope.org/mailman/listinfo/zope-announce
>>>   http://mail.zope.org/mailman/listinfo/zope-dev )
>>
>> _______________________________________________
>> Zope maillist  -  Zope at zope.org
>> http://mail.zope.org/mailman/listinfo/zope
>> **   No cross posts or HTML encoding!  **
>> (Related lists -
>>  http://mail.zope.org/mailman/listinfo/zope-announce
>>  http://mail.zope.org/mailman/listinfo/zope-dev )
>>
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )



More information about the Zope mailing list