[Zope] HTTP Request Denial of Service Vulnerability

Ryan_Permeh at McAfee.com Ryan_Permeh at McAfee.com
Fri Jul 24 12:52:57 EDT 2009 

It is not related the specified hotfix.  I'm getting details now, but this is how it seems:
1. this is from the Foundstone product, not a public advisory.  The Foundstone product is a vulnerability scanner, and it seems that it feels that the original poster's site is vulnerable to the stated issue.
2. The vulnerability check was written and published in 2002.  
3. I am looking into details regarding both what the details of this issue originally were, and what we look for to trigger it's existence.

This leads to a couple observations.

1.  This is likely a false positive, unless the original poster was running ridiculously old software.  
2. We will fix the check logic or remove the check entirely.  Checks this old rarely add much value to the product
3. In any case, if the check stays, we will update the text.  I'm not sure who wrote the original text in 2002, but it obviously doesn't apply now.  


-----Original Message-----
From: Andreas Jung [mailto:lists at zopyx.com] 
Sent: Friday, July 24, 2009 9:43 AM
To: Permeh, Ryan
Cc: zope at zope.org
Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability

Hi,




On 24.07.09 18:24, Ryan_Permeh at McAfee.com wrote:
> I manage product security at McAfee, of which Foundstone is a part.  I am not aware of releasing such an advisory, and am looking into this.  Could we get details regarding where this was found?  Was this posted to a web site?  A security mailing list?  And when was it posted?  This may have a very different meaning if it was published in 2001 or something like that.  Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product?  
>
>   
I have no idea what you are talking about.

We had this strange mail thread this week:

http://mail.zope.org/pipermail/zope/2009-July/175308.html

related to this hotfix

http://www.zope.org/Products/Zope/Hotfix-2008-08-12

Now how is this related to " HTTP Request Denial of Service Vulnerability" ???

I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000):

More information about the Zope mailing list