[Zope] HTTP Request Denial of Service Vulnerability

Ricardo Newbery ric at digitalmarbles.com
Fri Jul 24 14:38:39 EDT 2009 

Ryan,

Thanks for the quick work on resolving this.  :-)

Ric



On Jul 24, 2009, at 10:15 AM, <Ryan_Permeh at McAfee.com> wrote:

> Ok, the final analysis is as follows:
>
> We had an incorrect version regex that matched 2.10 the same as  
> 2.1.  This issue seems to only affect zope version 2.0 through  
> 2.5.01.  This lead to the vulnerability showing up with recent  
> versions of zope being scanned.
>
> We are fixing both the regex and the suggested fix.  The new  
> suggested fix will be to update to the appropriate version of zope  
> (in this case, post 2.5.01), not to replace it with something else.   
> This fix should be updated within the next week or so.
>
> If you have any further questions pertaining to McAfee (or  
> Foundstone) security reports, please feel free to contact me  
> directly, or via security at mcafee.com.  I am not a full time member  
> of this list, so I may not see any replies or questions made only to  
> the list.
>
>
> -----Original Message-----
> From: Permeh, Ryan
> Sent: Friday, July 24, 2009 9:53 AM
> To: lists at zopyx.com
> Cc: zope at zope.org
> Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability
>
> It is not related the specified hotfix.  I'm getting details now,  
> but this is how it seems:
> 1. this is from the Foundstone product, not a public advisory.  The  
> Foundstone product is a vulnerability scanner, and it seems that it  
> feels that the original poster's site is vulnerable to the stated  
> issue.
> 2. The vulnerability check was written and published in 2002.
> 3. I am looking into details regarding both what the details of this  
> issue originally were, and what we look for to trigger it's existence.
>
> This leads to a couple observations.
>
> 1.  This is likely a false positive, unless the original poster was  
> running ridiculously old software.
> 2. We will fix the check logic or remove the check entirely.  Checks  
> this old rarely add much value to the product
> 3. In any case, if the check stays, we will update the text.  I'm  
> not sure who wrote the original text in 2002, but it obviously  
> doesn't apply now.
>
>
> -----Original Message-----
> From: Andreas Jung [mailto:lists at zopyx.com]
> Sent: Friday, July 24, 2009 9:43 AM
> To: Permeh, Ryan
> Cc: zope at zope.org
> Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
>
> Hi,
>
>
>
>
> On 24.07.09 18:24, Ryan_Permeh at McAfee.com wrote:
>> I manage product security at McAfee, of which Foundstone is a  
>> part.  I am not aware of releasing such an advisory, and am looking  
>> into this.  Could we get details regarding where this was found?   
>> Was this posted to a web site?  A security mailing list?  And when  
>> was it posted?  This may have a very different meaning if it was  
>> published in 2001 or something like that.  Alternately, Foundstone  
>> produces a vulnerability management software, was this in a report  
>> generated by that product?
>>
>>
> I have no idea what you are talking about.
>
> We had this strange mail thread this week:
>
> http://mail.zope.org/pipermail/zope/2009-July/175308.html
>
> related to this hotfix
>
> http://www.zope.org/Products/Zope/Hotfix-2008-08-12
>
> Now how is this related to " HTTP Request Denial of Service  
> Vulnerability" ???
>
> I can not find anything related to the subject within the list of  
> our hotfixes (which is pretty small since 2000):
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )

More information about the Zope mailing list