SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Zope Vendors:   Zope
Zope Application Server Through the Web Code Input Validation Bug May Let Remote Users Shut Down the Server
SecurityTracker Alert ID:  1005302
SecurityTracker URL:  http://securitytracker.com/id/1005302
CVE Reference:   CVE-2002-0687   (Links to External Site)
Updated:  Dec 15 2003
Original Entry Date:  Sep 27 2002
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.4.4b2 and 2.5.1b2.
Description:   A vulnerability was reported in the Zope web application server. A remote user could cause a Zope server to shut down.

It is reported that a remote user can inject special headers into the response to cause the server to shut down.

This vulnerability applies to configurations that allow untrusted users to write "through the web" code using features such as Python Scripts, DTML Methods, or Page Templates.

Impact:   A remote user can cause the server to shut down.
Solution:   The vendor has released a fix (Hotfix_2002-04-15), available at:

http://www.zope.org/Products/Zope/Products/Zope/Hotfix_2002-04-15

Vendor URL:  www.zope.org/Products/Zope/Hotfix_2002-04-15/README.txt (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Zope bug (Hotfix_2002-04-15)


http://www.zope.org/Products/Zope/Products/Zope/Hotfix_2002-04-15
http://www.zope.org/Products/Zope/Hotfix_2002-04-15/README.txt

CAN-2002-0687

Hotfix_2002-04-15

  This is a "hotfix" product. Hotfix products can be installed to
  incorporate modifications to Zope at runtime without requiring an
  immediate installation upgrade. Hotfix products are installed just
  as you would install any other Zope product.

  This hotfix addresses an important security issue that may effect
  some users of all Zope versions prior to 2.4.4b2 and 2.5.1b2.

  The issue involves a vulnerability involving "through the web code"
  inadvertently allowing an untrusted user to remotely shut down a
  Zope server by allowing the user to inject special headers into the
  response.  If you allow untrusted users to write "through the web"
  code like Python Scripts, DTML Methods, or Page Templates, your Zope
  server is vulnerable.

  We highly recommend that any Zope site have this hotfix product 
  installed to mitigate the issue. Zope 2.5.1b2 and 2.4.4b2 as
  well as subsequent Zope release versions will contain a fix for the
  issue, at which time the hotfix can be removed.

---------

Hotfix_2002-04-15

    This hotfix addresses an important security issue that may affect
some users of Zope versions 2.0 through 2.5.1 b1.

    The issue involves a vulnerability involving "through the web code"
inadvertently allowing an untrusted user to remotely shut down a Zope
server by allowing the user to inject special headers into the response.
If you allow untrusted users to write "through the web" code like Python
Scripts, DTML Methods, or Page Templates, your Zope server is
vulnerable.

    We highly recommend that any Zope site have this hotfix product
installed to mitigate the issue. Zope 2.5.1b2 and 2.4.4b2 as well as
subsequent Zope release versions will contain a fix for the issue, at
which time the hotfix can be removed.

   
http://www.zope.org/Products/Zope/Hotfix_2002-04-15/Hotfix_2002-04-15.tgz


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC