[Zope-dev] Zope - SecurityFocus Newsletter #232 (fwd)

Chris Withers chris at simplistix.co.uk
Wed Jan 21 04:51:34 EST 2004 

Hi,

Can anyone shed light on all of these? I know about some of them, but this is 
quite a disturbingly long list...

cheers,

Chris

---------- Forwarded Message ----------
Date: Tuesday, January 20, 2004 2:45 PM -0700
From: Kelly Martin <kel at securityfocus.com>
To: sf-news at securityfocus.com
Subject: SecurityFocus Newsletter #232

8. Zope Multiple Vulnerabilities
BugTraq ID: 9400
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9400
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.

Multiple vulnerabilities have been reported to exist in the software that
may allow an attacker to carry out attacks resulting from improper input
validation, access validation, information disclosure, and various
improper security checks on a vulnerable system.  Successful exploitation
of these issues may lead to cross-site scripting attacks, denial of
service conditions, and other attacks.

The following specific issues have been identified:

The ZSearch interface has been reported to be prone to a cross-site
scripting vulnerability.  Successful exploitation of this issue may allow
a remote attacker to carry out cross-site scripting attacks by enticing a
victim user to follow a malicious link to a site hosting the software that
contains embedded HTML and script code. The embedded code may be rendered
in the web browser of the victim user in the security context of the site
hosting the vulnerable software.

A denial of service vulnerability has been identified in
'ZTUtils.SimpleTree' that may allow an attacker to cause a denial of
service condition the software.  This condition results from improper
state handling.

An access validation issue has been reported to exist in the admin "find"
functions.  This issue may lead to an attacker gaining access to sensitive
information without proper authentication.

An unspecified access validation issue has been identified in the
PropertyManager 'lines' and 'tokens' properties.  It has been reported
that some property types are stored in a mutable data type (list) and may
allow untrusted code to effect changes on the properties without proper
security validation.

An unspecified access validation issue may exist in the DTMLDocument
objects.  This issue could allow an attacker to gain access to sensitive
information.

Another access validation issue has been identified in DTMLMethods.  It
has been reported that DTMLMethods proxy rights may be incorrectly
inherited when traversing to a parent object.

A denial of service vulnerability has been identified in DTML tag
'dtml-tree' that may allow an attacker to cause a denial of service
condition the software.

An information disclosure vulnerability is reported to exist in the
software.  This issue may allow an attacker to disclose certain attributes
via XML-RPC marshalling of class instances.

An access validation issue has been reported to exist in the software that
may allow unauthorized access to certain variables.  This issue occurs due
to improper initialization of PythonScript class security.

A denial of service vulnerability exists in RESPONSE.write() that may
allow an attacker to pass malicious unicode values resulting in Zserver
main loop to terminate resulting in a crash or hang.

An access validation issue may exist in the software due to Unpacking via
function calls, variable assignment, exception variables without
sufficient security check.  This issue may allow an attacker to gain
access to sensitive data.

Another access validation issue may allow an attacker to execute a
malicious script on a vulnerable system in order to gain unauthorized
access to certain objects.  This issue results from improper verification
of variables bound to page templates and Python scripts such as 'context'
and 'container'.

An unspecified error has been reported to exist due to the use of min,
max, enumerate, iter, and sum in untrusted code.

An issue has been identified in the use of 'import as' in Python scripts
that may allow an attacker to bypass security checks.

Another access validation issue has been identified in the list and
dictionary instance methods that may allow an attacker to gain
unauthorized access to certain objects.  A similar issue has also been
identified in for loops, list comprehensions, and other iterations of
untrusted code.

Further analysis of these issues is currently underway.  This BID will be
separated into individual BIDs upon completion of analysis.

These issues have been reported to exist in Zope versions 2.6.2 and prior
and development releases 2.7.0 beta3.  Other versions could be affected as
well.

---------- End Forwarded Message ----------



Richard Hopkins,
Information Services,
Computer Centre,
University of Bristol,
Bristol, BS8 1UD, UK

Tel +44 117 928 7859
Fax +44 117 929 1576

More information about the Zope-Dev mailing list