[Zope] HTTP Request Denial of Service Vulnerability

TsungWei Hu marr.tw at gmail.com
Fri Jul 24 21:44:55 EDT 2009 

Thanks.

The vulnerability report was originally generated by 'Foundstone Enterprise'
product on July 2. I was told the license for this product expired that now
I can not know the exact product version. Anyway, glad to see this fixed.

/marr/

On Sat, Jul 25, 2009 at 3:35 AM, <Ryan_Permeh at mcafee.com> wrote:

> Yes.  We are going through our check database and changing the text of any
> "Do not use zope because of X" statements we find to "update zope to version
> X which fixes this issue", which is what it should have been originally.
>  The Foundstone vulnerability management product is intended to help
> customers fix existing issues in their infrastructure, not to make judgment
> calls on their choice of deployed software.
>
> -----Original Message-----
> From: Chris McDonough [mailto:chrism at plope.com]
> Sent: Friday, July 24, 2009 12:05 PM
> To: Permeh, Ryan
> Cc: zope at zope.org
> Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
>
> Thanks Ryan!
>
> Were you also able (willing?) to take out the advice to not use Zope in the
> text?  I assume that text shows up whenever a Zope-related vulnerability is
> encountered by the scanner.
>
> - C
>
> On 7/24/09 1:15 PM, Ryan_Permeh at McAfee.com wrote:
> > Ok, the final analysis is as follows:
> >
> > We had an incorrect version regex that matched 2.10 the same as 2.1.
>  This issue seems to only affect zope version 2.0 through 2.5.01.  This lead
> to the vulnerability showing up with recent versions of zope being scanned.
> >
> > We are fixing both the regex and the suggested fix.  The new suggested
> fix will be to update to the appropriate version of zope (in this case, post
> 2.5.01), not to replace it with something else.  This fix should be updated
> within the next week or so.
> >
> > If you have any further questions pertaining to McAfee (or Foundstone)
> security reports, please feel free to contact me directly, or via
> security at mcafee.com.  I am not a full time member of this list, so I may
> not see any replies or questions made only to the list.
> >
> >
> > -----Original Message-----
> > From: Permeh, Ryan
> > Sent: Friday, July 24, 2009 9:53 AM
> > To: lists at zopyx.com
> > Cc: zope at zope.org
> > Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability
> >
> > It is not related the specified hotfix.  I'm getting details now, but
> this is how it seems:
> > 1. this is from the Foundstone product, not a public advisory.  The
> Foundstone product is a vulnerability scanner, and it seems that it feels
> that the original poster's site is vulnerable to the stated issue.
> > 2. The vulnerability check was written and published in 2002.
> > 3. I am looking into details regarding both what the details of this
> issue originally were, and what we look for to trigger it's existence.
> >
> > This leads to a couple observations.
> >
> > 1.  This is likely a false positive, unless the original poster was
> running ridiculously old software.
> > 2. We will fix the check logic or remove the check entirely.  Checks this
> old rarely add much value to the product
> > 3. In any case, if the check stays, we will update the text.  I'm not
> sure who wrote the original text in 2002, but it obviously doesn't apply
> now.
> >
> >
> > -----Original Message-----
> > From: Andreas Jung [mailto:lists at zopyx.com]
> > Sent: Friday, July 24, 2009 9:43 AM
> > To: Permeh, Ryan
> > Cc: zope at zope.org
> > Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
> >
> > Hi,
> >
> >
> >
> >
> > On 24.07.09 18:24, Ryan_Permeh at McAfee.com wrote:
> >> I manage product security at McAfee, of which Foundstone is a part.  I
> am not aware of releasing such an advisory, and am looking into this.  Could
> we get details regarding where this was found?  Was this posted to a web
> site?  A security mailing list?  And when was it posted?  This may have a
> very different meaning if it was published in 2001 or something like that.
>  Alternately, Foundstone produces a vulnerability management software, was
> this in a report generated by that product?
> >>
> >>
> > I have no idea what you are talking about.
> >
> > We had this strange mail thread this week:
> >
> > http://mail.zope.org/pipermail/zope/2009-July/175308.html
> >
> > related to this hotfix
> >
> > http://www.zope.org/Products/Zope/Hotfix-2008-08-12
> >
> > Now how is this related to " HTTP Request Denial of Service
> Vulnerability" ???
> >
> > I can not find anything related to the subject within the list of our
> hotfixes (which is pretty small since 2000):
> >
> > _______________________________________________
> > Zope maillist  -  Zope at zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >   http://mail.zope.org/mailman/listinfo/zope-announce
> >   http://mail.zope.org/mailman/listinfo/zope-dev )
> >
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20090725/073ff620/attachment.html

More information about the Zope mailing list