[Zope] HTTP Request Denial of Service Vulnerability

Sun Jul 19 23:51:09 EDT 2009

This may be true.  However, I notice that whomever makes the Foundstone website 
can't spell either ("Costumer" for "Customer" in the "How you found out about 
us" dropdown). ;-)  So... guilty till proven innocent as far as I'm concerned.

- C

On 7/19/09 11:45 PM, Ricardo Newbery wrote:
>
> It might be premature to blame this on Foundstone. I can't seem to find
> this security advisory online at all. No advisory id was included nor
> any reference at all and the recommendation doesn't look at all like
> what usually comes from a legit advisory. I smeil a fake.
>
> Ric
>
>
>
> On Jul 19, 2009, at 7:55 PM, Chris McDonough wrote:
>
>> I just sent the below via
>> http://www.foundstone.com/us/contact-form.aspx . I'd
>> suggest that others do the same; this company is totally wrong about this
>> conclusion...
>>
>> You recently issued a security warning to the effect:
>>
>> """
>> = Name =
>>
>> Zope HTTP Request Denial of Service Vulnerability
>>
>> = Description =
>>
>> A vulnerability in Zope may allow a remote attacker to manually
>> shutdown the system.
>>
>> = Observation =
>>
>> The Zope Web Content Management system has been identified with a
>> critical
>> denial of service vulnerability. A malicious attacker could manually
>> shutdown
>> the target system remotely via a custom web HTTP field request. This
>> vulnerability is especially dangerous as the "kill" packet can be
>> completely
>> forged thereby increasing the difficulty when tracking would be
>> intruders and
>> attackers.
>>
>> = Recommendation =
>>
>> Although the Zope development environment is one of the largest and
>> most widely
>> supported open source web content management solutions, it has been
>> plagued with
>> exploitable vulnerabilities. Due to the nature of the software and
>> shear number
>> of vulnerabilities, Foundstone Labs recommends you consider utilizing a
>> different content management solution and at a minimum upgrade your
>> software.
>> Zope updates can be freely downloaded from www.zope.org
>> """
>>
>> Your conclusion here is wrong. This particular "vulnerability" is for
>> Zope
>> installations who offer the ability for *untrusted users* to add code
>> through
>> the web. This is not the default setup; a user needs to explicitly
>> enable such
>> a setup. The conclusion is akin to saying that people should not use Zope
>> because they might do something bad to Zope if they have access to the
>> administrative interface. This is the case with *any* application
>> server or
>> content management system.
>>
>> I'd suggest getting a little more knowledge about your material before
>> scaring
>> folks. The Zope folks do full-disclosure of all vulnerabilities; it's
>> up to you
>> to discern the "scary" ones from the "ho hum" ones. This is definitely
>> a ho-hum
>> one, and in no way deserves this conclusion.
>>
>> On 7/19/09 10:42 PM, Chris McDonough wrote:
>>> I have no idea who "Foundstone Labs" is, nor if the denial of service
>>> vulnerability they're talking about is indeed the one fixed by
>>> http://www.zope.org/advisories/advisory-2008-08-12/ but:
>>>
>>> a) if it is, if you read it closely, you'll note that it's for Zope
>>> instances
>>> where untrusted users have unrestricted access to the ZMI and the
>>> ability to add
>>> Python Scripts. Do you have such a setup?
>>>
>>> b) Zope has historically been *very* secure; this company is utterly,
>>> completely, and hopelessly clueless (nor can they spell "sheer"). If
>>> you want
>>> *real* security horror, I'd suggest taking their advice and
>>> "upgrading" to any
>>> PHP based solution. ;-)
>>>
>>> - C
>>>
>>>
>>> On 7/19/09 10:06 PM, TsungWei Hu wrote:
>>>> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
>>>> security notice as follows. Is it sufficient to fix this just
>>>> installing
>>>> http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/
>>>>
>>>> = Name =
>>>>
>>>> Zope HTTP Request Denial of Service Vulnerability
>>>>
>>>> = Description =
>>>>
>>>> A vulnerability in Zope may allow a remote attacker to manually
>>>> shutdown
>>>> the system.
>>>>
>>>> = Observation =
>>>>
>>>> The Zope Web Content Management system has been identified with a
>>>> critical denial of service vulnerability. A malicious attacker could
>>>> manually shutdown the target system remotely via a custom web HTTP
>>>> field
>>>> request. This vulnerability is especially dangerous as the "kill"
>>>> packet
>>>> can be completely forged thereby increasing the difficulty when
>>>> tracking
>>>> would be intruders and attackers.
>>>>
>>>> = Recommendation =
>>>>
>>>> Although the Zope development environment is one of the largest and
>>>> most
>>>> widely supported open source web content management solutions, it has
>>>> been plagued with exploitable vulnerabilities. Due to the nature of the
>>>> software and shear number of vulnerabilities, Foundstone Labs
>>>> recommends
>>>> you consider utilizing a different content management solution and at a
>>>> minimum upgrade your software. Zope updates can be freely downloaded
>>>> from www.zope.org<http://www.zope.org>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> _______________________________________________
>>>> Zope maillist - Zope at zope.org
>>>> http://mail.zope.org/mailman/listinfo/zope
>>>> ** No cross posts or HTML encoding! **
>>>> (Related lists -
>>>> http://mail.zope.org/mailman/listinfo/zope-announce
>>>> http://mail.zope.org/mailman/listinfo/zope-dev )
>>>
>>> _______________________________________________
>>> Zope maillist - Zope at zope.org
>>> http://mail.zope.org/mailman/listinfo/zope
>>> ** No cross posts or HTML encoding! **
>>> (Related lists -
>>> http://mail.zope.org/mailman/listinfo/zope-announce
>>> http://mail.zope.org/mailman/listinfo/zope-dev )
>>>
>>
>> _______________________________________________
>> Zope maillist - Zope at zope.org
>> http://mail.zope.org/mailman/listinfo/zope
>> ** No cross posts or HTML encoding! **
>> (Related lists -
>> http://mail.zope.org/mailman/listinfo/zope-announce
>> http://mail.zope.org/mailman/listinfo/zope-dev )
>