SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Zope Vendors:   Zope
Zope Contains Multiple Security Assertion and Input Validation Flaws
SecurityTracker Alert ID:  1009165
SecurityTracker URL:  http://securitytracker.com/id/1009165
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 23 2004
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.6.3;
Description:   Several vulnerabilities were reported in Zope as the result of a security audit performed in 2003. A remote user can conduct cross-site scripting and denial of service attacks. A remote user may be able to gain access to information without authorization.

In January 2004, the vendor reported that a variety of security related bugs existed in previous versions of Zope.

It is reported that the ZSearch interface does not filter HTML code from user-supplied input in the query string. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Zope software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can reportedly conduct certain types of denial of service attacks against the target Zope system due to a flaw in ZTUtils SimpleTree in checking the size of decompressed tree state data.

Several components of the software make improper or inadequate security assertions and security checks, the report said. A remote user may be able to gain access to protected methods or objects.

Impact:   A remote user can cause denial of service conditions on the target system.

A remote user may be able to access methods or objects to view or modify data without proper authorization.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Zope software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fixed version (2.6.3, available at:

http://www.zope.org/Products/Zope/2.6.3/

The vendor has also issued the fixes as part of 2.7.0 beta 4 (2.7.0b4), available at:

http://www.zope.org/Products/Zope/2.7.0b4/

Vendor URL:  mail.zope.org/pipermail/zope-announce/2004-January/001325.html (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  http://mail.zope.org/pipermail/zope-announce/2004-January/001325.html


http://mail.zope.org/pipermail/zope-announce/2004-January/001325.html

Brian Lloyd
Thu Jan 8 20:19:12 EST 2004

Zope 2.6.3 Release and Security Update

   Zope 2.6.3 contains a number of security related fixes for issues
   resolved during a comprehensive security audit conducted in Q4
   2003. You may download Zope 2.6.3 from Zope.org:

     http://www.zope.org/Products/Zope/2.6.3/

   **Users of the VerboseSecurity add-on product for Zope please note:** some
of
   the security-related changes in Zope 2.6.3 are incompatible with the
VerboseSecurity
   product. Please uninstall the VerboseSecurity product before upgrading to
2.6.3 to
   avoid problems. It is expected that VerboseSecurity will be updated to be
compatible
   with Zope 2.6.3 in the near future.

   Also note that there are binary code changes in the 2.6.3 release, making
   it impossible to issue an external "hotfix" to resolve these issues. CVS
   users should be sure to update their sites **and rebuild the C Python
   extensions** to ensure that all fixes are deployed.

   In the fourth quarter of 2003, a comprehensive evaluation of the changes
   to Python from version 2.1 to 2.3.3 was undertaken. This evaluation was
   designed to assess each change to the Python environment in terms of its
   potential impact on the Zope application server and Zope applications,
   with the goal of making Python 2.3.3 the required Python platform for
   Zope beginning with Zope 2.7.

   The evaluation was focused on assessing changes to Python in the
   following contexts:

     - Changes that would have compatibility or other effects on existing
       or new Zope applications

     - Changes that could potentially affect the Zope security architecture
       or change the behavior of the restricted execution environment used
       by Zope to run untrusted code


   In the course of the evaluation, very few of the Python changes in 2.3.3
   directly affected the Zope security architecture or had impacts on the
   restricted execution model.

   However, a number of pre-existing potential issues were discovered and
   resolved in the course of the comprehensive security audit that was
   performed as a part of the Python upgrade evaluation. Zope 2.6.3 provides
   fixes for all of these issues. A description of each issue, who is
affected
   and issue status is included below.

   For more information on what is new in this release, see the CHANGES.txt
and
   HISTORY.txt files for the release:

     - http://www.zope.org/Products/Zope/2.6.3/CHANGES.txt

     - http://www.zope.org/Products/Zope/2.6.3/HISTORY.txt

   For more information on the available Zope releases, guidance for
selecting
   the right distribution and installation instructions, please see:

     http://www.zope.org/Documentation/Misc/InstallingZope.html



   ISSUES RESOLVED BY Zope 2.6.3:

   - For loops, list comprehensions, and other iterations in untrusted
      code

     Issue Description

     Iteration over sequences could in some cases fail to check access
     to an object obtained from the sequence. Subsequent checks (such
     as for attributes access) of such an object would still be
     performed, but it should not have been possible to obtain the
     object in the first place.

     Who Is Affected?

     Sites that allow untrusted users to write Python Scripts, Page
     Templates, and DTML.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - List and dictionary instance methods in untrusted code

     Issue Description

     List and dictionary instance methods such as the get method of
     dictionary objects were not security aware and could return an
     object without checking access to that object. Subsequent checks
     (such as for attributes access) of such an object would still be
     performed, but it should not have been possible to obtain the
     object in the first place.

     Who Is Affected?

     Sites that allow untrusted users to write Python Scripts, Page
     Templates, and DTML.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - Use of  import as  in untrusted code

     Issue Description

     Use of "import as" in Python scripts could potentially rebind
     names in ways that could be used to avoid appropriate security
     checks.

     Who Is Affected?

     Sites that allow untrusted users to write Python Scripts, Page
     Templates, and DTML.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - Use of min, max, enumerate, iter, and sum in untrusted code

     Issue Description

     A number of newer built-ins were either unavailable in untrusted
     code or did not perform adequate security checking.

     Who Is Affected?

     Sites that allow untrusted users to write Python Scripts, Page
     Templates, and DTML.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - Broken binding validation in untrusted code

     Issue Description

     The variables bound to page templates and Python scripts such as
     "context" and "container" were not checked adequately, allowing
     a script to potentially access those objects without ensuring the
     necessary permissions on the part of the executing user.

     Who Is Affected?

     Sites that allow untrusted users to write Python Scripts, Page
     Templates, and DTML.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - Unpacking in untrusted code

     Issue Description

     Unpacking via function calls, variable assignment, exception
     variables and other contexts did not perform adequate security
     checks, potentially allowing access to objects that should have
     been protected.

     Who Is Affected?

     Sites that allow untrusted users to write Python Scripts, Page
     Templates, and DTML.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - Unicode passed to RESPONSE.write() could shutdown process

     Issue Description

     Inadequate type checking could allow unicode values passed to
     RESPONSE.write() to be passed into deeper layers of asyncore,
     where an exception would eventually be generated at a level that
     would cause the Zserver main loop to terminate.

     Who Is Affected?

     Sites that allow untrusted users to write Python Scripts, Page
     Templates, and DTML.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - PythonScript class security not initialized properly

     Issue Description

     Class security was not properly intialized for PythonScripts,
     potentially allowing access to variables that should be protected.
     It turned out that most of the security assertions were in fact
     activated as a side effect of other code, but this fix is still
     appropriate to ensure that all security declarations are properly
     applied.

     Who Is Affected?

     Sites that use Python Scripts.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - XML-RPC instance marshaling may disclose protected values

     Issue Description

     XML-RPC marshalling of class instances used the instance
     __dict__ to marshal the object, and could include attributes
    prefixed with an underscore name. These attributes are considered
    private in Zope and should generally not be disclosed.

     Who Is Affected?

     All Zope sites.

     Resolution
     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
     and higher. Affected sites are strongly encouraged to update
     their Zope installations to prevent this issue.


   - DTML tag dtml-tree may allow DoS attack

     Issue Description

     The dtml-tree tag used an "eval" of user-supplied data; its
     efforts to prevent abuse were ineffective.

     Who Is Affected?

     All Zope sites.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - Potential cross-site scripting problem in default ZSearch interface

     Issue Description
     Browsers that do not escape html in query strings such as
     Internet Explorer 5.5 could potentially send a script tag in a
     query string to the ZSearch interface for cross-site scripting.

     Who Is Affected?
     Sites that use the default ZSearch interface.

     Resolution
     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
     and higher. Affected sites are strongly encouraged to update
     their Zope installations to prevent this issue.


   - Proxy rights on DTMLMethods transferred via acquisition

     Issue Description

     DTMLMethods with proxy rights could incorrectly transfer those
     rights via acquisition when traversing to a parent object.

     Who Is Affected?

     Sites that allow users who have increased permissions in
     subfolders to write DTMLMethods.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
     and higher. Affected sites are strongly encouraged to update
     their Zope installations to prevent this issue.


   - Improper security assertions on DTMLDocument objects

     Issue Description

     Some improper security assertions on DTMLDocument objects could
     potentially allow access to members that should be protected.

     Who Is Affected?

     Sites that use DTMLDocuments for secure content.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - PropertyManager 'lines' and 'tokens' properties stored as list

     Issue Description

     Some property types were stored in a mutable data type (list) which
     could potentially allow untrusted code to effect changes on those
     properties without going through appropriate security checks in
     particular scenarios.

     Who Is Affected?

     Sites that allow untrusted users to write Python Scripts, Page
     Templates, and DTML.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - Inadequate security assertions on admin "find" functions

     Issue Description

     Inadequate security assertions on administrative "find" methods
     could potentially be abused.

     Who Is Affected?

     All Zope sites.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - ZTUtils.SimpleTree state handling

     Issue Description

     The ZTUtils SimpleTree decompressed tree state data from the
     request without checking for final size, which could allow for
     certain types of DoS attacks.

     Who Is Affected?

     Sites that rely on the ZTUtils.SimpleTree.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher. Affected sites are strongly encouraged to update their
     Zope installations to prevent this issue.


   - Configuration file did not override security policy selection

     Issue Description

     This is not really a security issue, just a usability issue. It has
     always been possible to alternate between C and Python implemenations
     of the Zope security policy using certain environment variables. As
     of Zope 2.7, use of environment variables is deprecated in favor of
     the new 2.7 configuration files. The new configuration machinery was
     not implementing the directive used to override the default security
     policy.

     Who Is Affected?

     Zope 2.7 beta users.

     Resolution

     This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
     higher.






 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC