[Zope] Script (Python) insecure ?

Philipp von Weitershausen philipp at weitershausen.de
Tue Aug 12 11:26:30 EDT 2008


Thanks a lot for taking care of these issues, Andreas!



Andreas Jung wrote:
> 
> 
> --On 12. August 2008 16:05:47 +0200 Andreas Jung 
> <lists at zopyx.com> wrote:
> 
>>
>>
>> --On 12. August 2008 14:16:44 +0200 Andreas Jung 
>> <lists at zopyx.com> wrote:
>>
>>> *sigh*
>>>
>>> I wished that both exploits were reported to the Zope bugtracker in 
>>> order
>>> to work on solutions before making the exploits public.
>>>
>>>
>>> --On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" 
>>> <mal at egenix.com>
>>> wrote:
>>>
>>>> Hello,
>>>
>>>
>>>
>>>>
>>>> 1. Attack:
>>>>
>>>> Put this into a "Script (Python)" object and run it:
>>>>
>>>> return 'kaboom'.encode('test.testall')
>>>>
>>>> This results in a denial-of-service, since Zope will hang
>>>> running the Python test suite.
>>>>
>>>> The reason for this is a problem in the way the encoding search
>>>> function works in Python 2.4. This was changed in 2.5 to no longer
>>>> allow searching for codecs outside the encodings package.
>>>
>>> That's pretty obscure behavior of Python 2.4...anyway.
>>
>> The followup for this issue is also on Launchpad including a possible
>> solution:
>>
>> <https://bugs.launchpad.net/zope2/+bug/257276>
>>
>> The patches/monkey patches for both issues need review and testing.
>>
>> I am now working on a security advisory.
>>
>> For the hotfixes and testing I need definitely help since I am the road
>> for the rest of the week and pretty busy and limited network 
>> connectivity.
>>
>>
> 
> I created a preliminary hotfix
> 
> <http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz/view>
> 
> After rough test: it seems to work for Zope trunk, 2.10 and 2.11
> but has a failure for Zope 2.8.
> 
> That's all I can do for now - please test and improve the hotfix
> if needed.
> 
> Thanks,
> Andreas
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )



More information about the Zope mailing list