[Zope] HTTP Request Denial of Service Vulnerability

TsungWei Hu marr.tw at gmail.com
Sun Jul 19 22:06:20 EDT 2009


I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security
notice as follows. Is it sufficient to fix this just installing
http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/

= Name =

Zope HTTP Request Denial of Service Vulnerability

= Description =

A vulnerability in Zope may allow a remote attacker to manually shutdown the
system.

= Observation =

The Zope Web Content Management system has been identified with a critical
denial of service vulnerability. A malicious attacker could manually
shutdown the target system remotely via a custom web HTTP field request.
This vulnerability is especially dangerous as the "kill" packet can be
completely forged thereby increasing the difficulty when tracking would be
intruders and attackers.

= Recommendation =

Although the Zope development environment is one of the largest and most
widely supported open source web content management solutions, it has been
plagued with exploitable vulnerabilities. Due to the nature of the software
and shear number of vulnerabilities, Foundstone Labs recommends you consider
utilizing a different content management solution and at a minimum upgrade
your software. Zope updates can be freely downloaded from www.zope.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20090720/bef8d750/attachment.html 


More information about the Zope mailing list