[Zope-dev] weak examples, weak exploits

Jamie Heilman jamie@audible.transient.net
Mon, 23 Jun 2003 20:09:19 -0700 

seb bacon wrote:
> The file upload vulnerability was fixed in version 1.3 of Examples.zexp,
> though.  The reason it's still turning up in 2.6.x versions is probably
> due to upgrades.  Therefore I suppose additionally there should be a
> patch which examines the ZODB on startup and prints a warning if an old
> Examples folder is present.

I opted for a patch that simply removes all the magic auto-install
crud and goes for the installer link on the quick-start page.  As for
previous zope installations, well, I don't feel like trying to figure
out how to examine the zodb and warn people if they've got bad
examples still installed, it strikes me as too much junk in the
startup procedure which is already too slow as it is.  I say chalk it
up as a lessoned learned and move on.

As for my reworked examples, I added missing quoting to the navigation
examples, size limits and entry limits to the guest book, size limits
and entry limits to the file library, and additional sanity checking
and robustness to just about everything.

Examining the original advisory this is how I break it down:
1) moot with the addition of SiteErrorLog
2) Examples/db no longer exists in the Examples, I'm unaware if it
   ever did, at any rate, not a problem
3) moot with the addition of SiteErrorLog
3a) this is a problem, see below
3b) fixed in my reworking
3c) I was unable to reproduce this, maybe a bug with older Zopes?
extra notes) wtf? I have no idea what the the advisory author was
             trying to say by including that diff, and I have feeling
             he doesn't know either. I mean, it has the words 'examples'
             and 'security' in it, but that doesn't make it relevant.

There is unfortunately, a snag.  One of the exploits (3a) as it turns
out is actually a problem deeper down.  To isolate a test case make a
script like:

## Script (Python) "aww_shit_now_what"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=i
##title=
##
return int(i)

Then call it http://host/aww_shit_now_what=<b>old+flava'

This can be disarmed by ensuring that in your standard_error_message
you quote the results of error_msg, however this isn't the default,
and it will result in a lot of broken and ugly looking (albeit safer)
error pages.

I haven't fully figured out exactly whats going on with that whole
thing yet.  I have a feeling its atributable to either
raise_standardErrorMessage's "smart" tag searching, or some other
auto-magical aspect of the error handling framework. (clues
appreciated)

In the mean time I suggest quoting error_msg.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle 
 into a lion's mouth and flicking his lovespuds with a wet towel, pure 
 insanity..."						-Rimmer