[Zope] HTTP Request Denial of Service Vulnerability
I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? As far as I know, we try to never make general sweeping statements about products such as those quoted by the poster. Our statements are typically regarding a single vulnerability, and extrapolating to the entire product is not in our nature or in our customer's best interests. We want issues fixed, not to argue about which specific platforms are better than other. Additionally, we try to never release any vague reports such as the one I'd seen. They are typically combined with additional details that would allow one to determine their own risk, and we usually include a CVE number or another common vulnerability identifier. Finally, we follow responsible disclosure, and wouldn't issue an advisory without notifying the vendor prior. I have the appropriate teams trying to track down from an internal standpoint, but any help from the community, especially the original poster, would be appreciated. If our statement or product wording is incorrect, we will certainly rectify this. Ryan Permeh Manager of Product Security McAfee Security Architecture Group email: ryan_per...@mcafee.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
On 24.07.09 18:43, Andreas Jung wrote: Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): Sorry, I pressed the send button to early. http://www.zope.org/Products/ So what is this discussion all about? What has Mcafee to do with this issue?! Andreas Jung Zope 2 Release Manager -- ZOPYX Ltd. Co KG \ ZOPYX Friends Charlottenstr. 37/1 \ The experts for your Python, Zope and D-72070 Tübingen \ Plone projects www.zopyx.com, i...@zopyx.com \ www.zopyx.de/friends, frie...@zopyx.de E-Publishing, Python, Zope Plone development, Consulting begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner, and it seems that it feels that the original poster's site is vulnerable to the stated issue. 2. The vulnerability check was written and published in 2002. 3. I am looking into details regarding both what the details of this issue originally were, and what we look for to trigger it's existence. This leads to a couple observations. 1. This is likely a false positive, unless the original poster was running ridiculously old software. 2. We will fix the check logic or remove the check entirely. Checks this old rarely add much value to the product 3. In any case, if the check stays, we will update the text. I'm not sure who wrote the original text in 2002, but it obviously doesn't apply now. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 9:43 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
+---[ ryan_per...@mcafee.com ]-- | | 1. This is likely a false positive, unless the original poster was running ridiculously old software. Ridiculously old software is not outside the realms of probability -- Andrew Milton a...@theinternet.com.au ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
Ok, the final analysis is as follows: We had an incorrect version regex that matched 2.10 the same as 2.1. This issue seems to only affect zope version 2.0 through 2.5.01. This lead to the vulnerability showing up with recent versions of zope being scanned. We are fixing both the regex and the suggested fix. The new suggested fix will be to update to the appropriate version of zope (in this case, post 2.5.01), not to replace it with something else. This fix should be updated within the next week or so. If you have any further questions pertaining to McAfee (or Foundstone) security reports, please feel free to contact me directly, or via secur...@mcafee.com. I am not a full time member of this list, so I may not see any replies or questions made only to the list. -Original Message- From: Permeh, Ryan Sent: Friday, July 24, 2009 9:53 AM To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner, and it seems that it feels that the original poster's site is vulnerable to the stated issue. 2. The vulnerability check was written and published in 2002. 3. I am looking into details regarding both what the details of this issue originally were, and what we look for to trigger it's existence. This leads to a couple observations. 1. This is likely a false positive, unless the original poster was running ridiculously old software. 2. We will fix the check logic or remove the check entirely. Checks this old rarely add much value to the product 3. In any case, if the check stays, we will update the text. I'm not sure who wrote the original text in 2002, but it obviously doesn't apply now. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 9:43 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
That's why I usually override the Server: HTTP header from within my Zope apps for public sites running on Zope :-) Andreas On 24.07.09 19:15, ryan_per...@mcafee.com wrote: Ok, the final analysis is as follows: We had an incorrect version regex that matched 2.10 the same as 2.1. This issue seems to only affect zope version 2.0 through 2.5.01. This lead to the vulnerability showing up with recent versions of zope being scanned. We are fixing both the regex and the suggested fix. The new suggested fix will be to update to the appropriate version of zope (in this case, post 2.5.01), not to replace it with something else. This fix should be updated within the next week or so. If you have any further questions pertaining to McAfee (or Foundstone) security reports, please feel free to contact me directly, or via secur...@mcafee.com. I am not a full time member of this list, so I may not see any replies or questions made only to the list. -Original Message- From: Permeh, Ryan Sent: Friday, July 24, 2009 9:53 AM To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner, and it seems that it feels that the original poster's site is vulnerable to the stated issue. 2. The vulnerability check was written and published in 2002. 3. I am looking into details regarding both what the details of this issue originally were, and what we look for to trigger it's existence. This leads to a couple observations. 1. This is likely a false positive, unless the original poster was running ridiculously old software. 2. We will fix the check logic or remove the check entirely. Checks this old rarely add much value to the product 3. In any case, if the check stays, we will update the text. I'm not sure who wrote the original text in 2002, but it obviously doesn't apply now. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 9:43 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- ZOPYX Ltd. Co KG \ ZOPYX Friends Charlottenstr. 37/1 \ The experts for your Python, Zope and D-72070 Tübingen \ Plone projects www.zopyx.com, i...@zopyx.com \ www.zopyx.de/friends, frie...@zopyx.de E-Publishing, Python, Zope Plone development, Consulting begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
It should be noted that doing this may make it less likely for a general purpose automated scanner like Foundstone (or Nessus or any vulnerability scanner) from finding your deployment, but it does not fix the app from the issue that the scanner was checking for. This may or may not be an appropriate action, depending on your environment. Good Guy scanners like our product usually have to try to determine if a site is vulnerable in non-intrusive ways, such as checking banners. Bad guys scanners often send the exploit regardless of version. They have no problem causing damage by sending potentially dangerous inputs to your application. By changing the banner, you may be preventing good guys from seeing the issue and attempting to fix the issue without preventing bad guys from exploiting the issue. In any case, since this was done in 2002, it's unlikely the specific issue in question is very relevant on either side. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 10:22 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability That's why I usually override the Server: HTTP header from within my Zope apps for public sites running on Zope :-) Andreas On 24.07.09 19:15, ryan_per...@mcafee.com wrote: Ok, the final analysis is as follows: We had an incorrect version regex that matched 2.10 the same as 2.1. This issue seems to only affect zope version 2.0 through 2.5.01. This lead to the vulnerability showing up with recent versions of zope being scanned. We are fixing both the regex and the suggested fix. The new suggested fix will be to update to the appropriate version of zope (in this case, post 2.5.01), not to replace it with something else. This fix should be updated within the next week or so. If you have any further questions pertaining to McAfee (or Foundstone) security reports, please feel free to contact me directly, or via secur...@mcafee.com. I am not a full time member of this list, so I may not see any replies or questions made only to the list. -Original Message- From: Permeh, Ryan Sent: Friday, July 24, 2009 9:53 AM To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner, and it seems that it feels that the original poster's site is vulnerable to the stated issue. 2. The vulnerability check was written and published in 2002. 3. I am looking into details regarding both what the details of this issue originally were, and what we look for to trigger it's existence. This leads to a couple observations. 1. This is likely a false positive, unless the original poster was running ridiculously old software. 2. We will fix the check logic or remove the check entirely. Checks this old rarely add much value to the product 3. In any case, if the check stays, we will update the text. I'm not sure who wrote the original text in 2002, but it obviously doesn't apply now. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 9:43 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- ZOPYX Ltd. Co KG \ ZOPYX Friends Charlottenstr. 37/1 \ The experts for your Python, Zope and D-72070 Tübingen \ Plone projects www.zopyx.com, i...@zopyx.com \ www.zopyx.de
Re: [Zope] HTTP Request Denial of Service Vulnerability
Ryan, Thanks for the quick work on resolving this. :-) Ric On Jul 24, 2009, at 10:15 AM, ryan_per...@mcafee.com wrote: Ok, the final analysis is as follows: We had an incorrect version regex that matched 2.10 the same as 2.1. This issue seems to only affect zope version 2.0 through 2.5.01. This lead to the vulnerability showing up with recent versions of zope being scanned. We are fixing both the regex and the suggested fix. The new suggested fix will be to update to the appropriate version of zope (in this case, post 2.5.01), not to replace it with something else. This fix should be updated within the next week or so. If you have any further questions pertaining to McAfee (or Foundstone) security reports, please feel free to contact me directly, or via secur...@mcafee.com. I am not a full time member of this list, so I may not see any replies or questions made only to the list. -Original Message- From: Permeh, Ryan Sent: Friday, July 24, 2009 9:53 AM To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner, and it seems that it feels that the original poster's site is vulnerable to the stated issue. 2. The vulnerability check was written and published in 2002. 3. I am looking into details regarding both what the details of this issue originally were, and what we look for to trigger it's existence. This leads to a couple observations. 1. This is likely a false positive, unless the original poster was running ridiculously old software. 2. We will fix the check logic or remove the check entirely. Checks this old rarely add much value to the product 3. In any case, if the check stays, we will update the text. I'm not sure who wrote the original text in 2002, but it obviously doesn't apply now. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 9:43 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
Thanks Ryan! Were you also able (willing?) to take out the advice to not use Zope in the text? I assume that text shows up whenever a Zope-related vulnerability is encountered by the scanner. - C On 7/24/09 1:15 PM, ryan_per...@mcafee.com wrote: Ok, the final analysis is as follows: We had an incorrect version regex that matched 2.10 the same as 2.1. This issue seems to only affect zope version 2.0 through 2.5.01. This lead to the vulnerability showing up with recent versions of zope being scanned. We are fixing both the regex and the suggested fix. The new suggested fix will be to update to the appropriate version of zope (in this case, post 2.5.01), not to replace it with something else. This fix should be updated within the next week or so. If you have any further questions pertaining to McAfee (or Foundstone) security reports, please feel free to contact me directly, or via secur...@mcafee.com. I am not a full time member of this list, so I may not see any replies or questions made only to the list. -Original Message- From: Permeh, Ryan Sent: Friday, July 24, 2009 9:53 AM To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner, and it seems that it feels that the original poster's site is vulnerable to the stated issue. 2. The vulnerability check was written and published in 2002. 3. I am looking into details regarding both what the details of this issue originally were, and what we look for to trigger it's existence. This leads to a couple observations. 1. This is likely a false positive, unless the original poster was running ridiculously old software. 2. We will fix the check logic or remove the check entirely. Checks this old rarely add much value to the product 3. In any case, if the check stays, we will update the text. I'm not sure who wrote the original text in 2002, but it obviously doesn't apply now. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 9:43 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
Yes. We are going through our check database and changing the text of any Do not use zope because of X statements we find to update zope to version X which fixes this issue, which is what it should have been originally. The Foundstone vulnerability management product is intended to help customers fix existing issues in their infrastructure, not to make judgment calls on their choice of deployed software. -Original Message- From: Chris McDonough [mailto:chr...@plope.com] Sent: Friday, July 24, 2009 12:05 PM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Thanks Ryan! Were you also able (willing?) to take out the advice to not use Zope in the text? I assume that text shows up whenever a Zope-related vulnerability is encountered by the scanner. - C On 7/24/09 1:15 PM, ryan_per...@mcafee.com wrote: Ok, the final analysis is as follows: We had an incorrect version regex that matched 2.10 the same as 2.1. This issue seems to only affect zope version 2.0 through 2.5.01. This lead to the vulnerability showing up with recent versions of zope being scanned. We are fixing both the regex and the suggested fix. The new suggested fix will be to update to the appropriate version of zope (in this case, post 2.5.01), not to replace it with something else. This fix should be updated within the next week or so. If you have any further questions pertaining to McAfee (or Foundstone) security reports, please feel free to contact me directly, or via secur...@mcafee.com. I am not a full time member of this list, so I may not see any replies or questions made only to the list. -Original Message- From: Permeh, Ryan Sent: Friday, July 24, 2009 9:53 AM To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner, and it seems that it feels that the original poster's site is vulnerable to the stated issue. 2. The vulnerability check was written and published in 2002. 3. I am looking into details regarding both what the details of this issue originally were, and what we look for to trigger it's existence. This leads to a couple observations. 1. This is likely a false positive, unless the original poster was running ridiculously old software. 2. We will fix the check logic or remove the check entirely. Checks this old rarely add much value to the product 3. In any case, if the check stays, we will update the text. I'm not sure who wrote the original text in 2002, but it obviously doesn't apply now. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 9:43 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
Thanks. The vulnerability report was originally generated by 'Foundstone Enterprise' product on July 2. I was told the license for this product expired that now I can not know the exact product version. Anyway, glad to see this fixed. /marr/ On Sat, Jul 25, 2009 at 3:35 AM, ryan_per...@mcafee.com wrote: Yes. We are going through our check database and changing the text of any Do not use zope because of X statements we find to update zope to version X which fixes this issue, which is what it should have been originally. The Foundstone vulnerability management product is intended to help customers fix existing issues in their infrastructure, not to make judgment calls on their choice of deployed software. -Original Message- From: Chris McDonough [mailto:chr...@plope.com] Sent: Friday, July 24, 2009 12:05 PM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Thanks Ryan! Were you also able (willing?) to take out the advice to not use Zope in the text? I assume that text shows up whenever a Zope-related vulnerability is encountered by the scanner. - C On 7/24/09 1:15 PM, ryan_per...@mcafee.com wrote: Ok, the final analysis is as follows: We had an incorrect version regex that matched 2.10 the same as 2.1. This issue seems to only affect zope version 2.0 through 2.5.01. This lead to the vulnerability showing up with recent versions of zope being scanned. We are fixing both the regex and the suggested fix. The new suggested fix will be to update to the appropriate version of zope (in this case, post 2.5.01), not to replace it with something else. This fix should be updated within the next week or so. If you have any further questions pertaining to McAfee (or Foundstone) security reports, please feel free to contact me directly, or via secur...@mcafee.com. I am not a full time member of this list, so I may not see any replies or questions made only to the list. -Original Message- From: Permeh, Ryan Sent: Friday, July 24, 2009 9:53 AM To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner, and it seems that it feels that the original poster's site is vulnerable to the stated issue. 2. The vulnerability check was written and published in 2002. 3. I am looking into details regarding both what the details of this issue originally were, and what we look for to trigger it's existence. This leads to a couple observations. 1. This is likely a false positive, unless the original poster was running ridiculously old software. 2. We will fix the check logic or remove the check entirely. Checks this old rarely add much value to the product 3. In any case, if the check stays, we will update the text. I'm not sure who wrote the original text in 2002, but it obviously doesn't apply now. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 9:43 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a very different meaning if it was published in 2001 or something like that. Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product? I have no idea what you are talking about. We had this strange mail thread this week: http://mail.zope.org/pipermail/zope/2009-July/175308.html related to this hotfix http://www.zope.org/Products/Zope/Hotfix-2008-08-12 Now how is this related to HTTP Request Denial of Service Vulnerability ??? I can not find anything related to the subject within the list of our hotfixes (which is pretty small since 2000): ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev
Re: [Zope] HTTP Request Denial of Service Vulnerability
On Jul 19, 2009, at 11:04 PM, TsungWei Hu wrote: The observation and recommendation is specifically generated by Foundstone Labs' software. It's my fault to suggest that might be related to Hotfix-2008-08-12. From my side, I will try to stop improper information from Foundstone lab. Thanks, marr Which Foundstone software/service generated this bogus advisory? Details please. Ric ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
The observation and recommendation is specifically generated by Foundstone Labs' software. It's my fault to suggest that might be related to Hotfix-2008-08-12. From my side, I will try to stop improper information from Foundstone lab. Thanks, marr On Mon, Jul 20, 2009 at 12:20 PM, Andreas Jung li...@zopyx.com wrote: On 20.07.09 04:06, TsungWei Hu wrote: I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.org http://www.zope.org TsungWei, with respect but you are telling barely nonsense. The mentioned issue only affected sites where managers gave ZMI access to untrusted users. So this issue is of limited importance. In addition it has been fixed within less than one day (compare this to other systems). In addition: Zope is an application server, not a CMS. Also: compare the number of critical bugs within Zope to other systems. ZOPE IS VERY SECURE. So please stop with such postings spreading FUD and containing improper information. Andreas Jung Zope 2 Release Manager ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] HTTP Request Denial of Service Vulnerability
I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been identified with a critical denial of service vulnerability. A malicious attacker could manually shutdown the target system remotely via a custom web HTTP field request. This vulnerability is especially dangerous as the kill packet can be completely forged thereby increasing the difficulty when tracking would be intruders and attackers. = Recommendation = Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.org ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
I have no idea who Foundstone Labs is, nor if the denial of service vulnerability they're talking about is indeed the one fixed by http://www.zope.org/advisories/advisory-2008-08-12/ but: a) if it is, if you read it closely, you'll note that it's for Zope instances where untrusted users have unrestricted access to the ZMI and the ability to add Python Scripts. Do you have such a setup? b) Zope has historically been *very* secure; this company is utterly, completely, and hopelessly clueless (nor can they spell sheer). If you want *real* security horror, I'd suggest taking their advice and upgrading to any PHP based solution. ;-) - C On 7/19/09 10:06 PM, TsungWei Hu wrote: I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been identified with a critical denial of service vulnerability. A malicious attacker could manually shutdown the target system remotely via a custom web HTTP field request. This vulnerability is especially dangerous as the kill packet can be completely forged thereby increasing the difficulty when tracking would be intruders and attackers. = Recommendation = Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.org http://www.zope.org ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
I just sent the below via http://www.foundstone.com/us/contact-form.aspx . I'd suggest that others do the same; this company is totally wrong about this conclusion... You recently issued a security warning to the effect: = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been identified with a critical denial of service vulnerability. A malicious attacker could manually shutdown the target system remotely via a custom web HTTP field request. This vulnerability is especially dangerous as the kill packet can be completely forged thereby increasing the difficulty when tracking would be intruders and attackers. = Recommendation = Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.org Your conclusion here is wrong. This particular vulnerability is for Zope installations who offer the ability for *untrusted users* to add code through the web. This is not the default setup; a user needs to explicitly enable such a setup. The conclusion is akin to saying that people should not use Zope because they might do something bad to Zope if they have access to the administrative interface. This is the case with *any* application server or content management system. I'd suggest getting a little more knowledge about your material before scaring folks. The Zope folks do full-disclosure of all vulnerabilities; it's up to you to discern the scary ones from the ho hum ones. This is definitely a ho-hum one, and in no way deserves this conclusion. On 7/19/09 10:42 PM, Chris McDonough wrote: I have no idea who Foundstone Labs is, nor if the denial of service vulnerability they're talking about is indeed the one fixed by http://www.zope.org/advisories/advisory-2008-08-12/ but: a) if it is, if you read it closely, you'll note that it's for Zope instances where untrusted users have unrestricted access to the ZMI and the ability to add Python Scripts. Do you have such a setup? b) Zope has historically been *very* secure; this company is utterly, completely, and hopelessly clueless (nor can they spell sheer). If you want *real* security horror, I'd suggest taking their advice and upgrading to any PHP based solution. ;-) - C On 7/19/09 10:06 PM, TsungWei Hu wrote: I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been identified with a critical denial of service vulnerability. A malicious attacker could manually shutdown the target system remotely via a custom web HTTP field request. This vulnerability is especially dangerous as the kill packet can be completely forged thereby increasing the difficulty when tracking would be intruders and attackers. = Recommendation = Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.orghttp://www.zope.org ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http
Re: [Zope] HTTP Request Denial of Service Vulnerability
It might be premature to blame this on Foundstone. I can't seem to find this security advisory online at all. No advisory id was included nor any reference at all and the recommendation doesn't look at all like what usually comes from a legit advisory. I smeil a fake. Ric On Jul 19, 2009, at 7:55 PM, Chris McDonough wrote: I just sent the below via http://www.foundstone.com/us/contact-form.aspx . I'd suggest that others do the same; this company is totally wrong about this conclusion... You recently issued a security warning to the effect: = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been identified with a critical denial of service vulnerability. A malicious attacker could manually shutdown the target system remotely via a custom web HTTP field request. This vulnerability is especially dangerous as the kill packet can be completely forged thereby increasing the difficulty when tracking would be intruders and attackers. = Recommendation = Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.org Your conclusion here is wrong. This particular vulnerability is for Zope installations who offer the ability for *untrusted users* to add code through the web. This is not the default setup; a user needs to explicitly enable such a setup. The conclusion is akin to saying that people should not use Zope because they might do something bad to Zope if they have access to the administrative interface. This is the case with *any* application server or content management system. I'd suggest getting a little more knowledge about your material before scaring folks. The Zope folks do full-disclosure of all vulnerabilities; it's up to you to discern the scary ones from the ho hum ones. This is definitely a ho-hum one, and in no way deserves this conclusion. On 7/19/09 10:42 PM, Chris McDonough wrote: I have no idea who Foundstone Labs is, nor if the denial of service vulnerability they're talking about is indeed the one fixed by http://www.zope.org/advisories/advisory-2008-08-12/ but: a) if it is, if you read it closely, you'll note that it's for Zope instances where untrusted users have unrestricted access to the ZMI and the ability to add Python Scripts. Do you have such a setup? b) Zope has historically been *very* secure; this company is utterly, completely, and hopelessly clueless (nor can they spell sheer). If you want *real* security horror, I'd suggest taking their advice and upgrading to any PHP based solution. ;-) - C On 7/19/09 10:06 PM, TsungWei Hu wrote: I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been identified with a critical denial of service vulnerability. A malicious attacker could manually shutdown the target system remotely via a custom web HTTP field request. This vulnerability is especially dangerous as the kill packet can be completely forged thereby increasing the difficulty when tracking would be intruders and attackers. = Recommendation = Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.orghttp://www.zope.org ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http
Re: [Zope] HTTP Request Denial of Service Vulnerability
This may be true. However, I notice that whomever makes the Foundstone website can't spell either (Costumer for Customer in the How you found out about us dropdown). ;-) So... guilty till proven innocent as far as I'm concerned. - C On 7/19/09 11:45 PM, Ricardo Newbery wrote: It might be premature to blame this on Foundstone. I can't seem to find this security advisory online at all. No advisory id was included nor any reference at all and the recommendation doesn't look at all like what usually comes from a legit advisory. I smeil a fake. Ric On Jul 19, 2009, at 7:55 PM, Chris McDonough wrote: I just sent the below via http://www.foundstone.com/us/contact-form.aspx . I'd suggest that others do the same; this company is totally wrong about this conclusion... You recently issued a security warning to the effect: = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been identified with a critical denial of service vulnerability. A malicious attacker could manually shutdown the target system remotely via a custom web HTTP field request. This vulnerability is especially dangerous as the kill packet can be completely forged thereby increasing the difficulty when tracking would be intruders and attackers. = Recommendation = Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.org Your conclusion here is wrong. This particular vulnerability is for Zope installations who offer the ability for *untrusted users* to add code through the web. This is not the default setup; a user needs to explicitly enable such a setup. The conclusion is akin to saying that people should not use Zope because they might do something bad to Zope if they have access to the administrative interface. This is the case with *any* application server or content management system. I'd suggest getting a little more knowledge about your material before scaring folks. The Zope folks do full-disclosure of all vulnerabilities; it's up to you to discern the scary ones from the ho hum ones. This is definitely a ho-hum one, and in no way deserves this conclusion. On 7/19/09 10:42 PM, Chris McDonough wrote: I have no idea who Foundstone Labs is, nor if the denial of service vulnerability they're talking about is indeed the one fixed by http://www.zope.org/advisories/advisory-2008-08-12/ but: a) if it is, if you read it closely, you'll note that it's for Zope instances where untrusted users have unrestricted access to the ZMI and the ability to add Python Scripts. Do you have such a setup? b) Zope has historically been *very* secure; this company is utterly, completely, and hopelessly clueless (nor can they spell sheer). If you want *real* security horror, I'd suggest taking their advice and upgrading to any PHP based solution. ;-) - C On 7/19/09 10:06 PM, TsungWei Hu wrote: I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been identified with a critical denial of service vulnerability. A malicious attacker could manually shutdown the target system remotely via a custom web HTTP field request. This vulnerability is especially dangerous as the kill packet can be completely forged thereby increasing the difficulty when tracking would be intruders and attackers. = Recommendation = Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.orghttp://www.zope.org ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http
Re: [Zope] HTTP Request Denial of Service Vulnerability
On 20.07.09 04:06, TsungWei Hu wrote: I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.org http://www.zope.org TsungWei, with respect but you are telling barely nonsense. The mentioned issue only affected sites where managers gave ZMI access to untrusted users. So this issue is of limited importance. In addition it has been fixed within less than one day (compare this to other systems). In addition: Zope is an application server, not a CMS. Also: compare the number of critical bugs within Zope to other systems. ZOPE IS VERY SECURE. So please stop with such postings spreading FUD and containing improper information. Andreas Jung Zope 2 Release Manager begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] HTTP Request Denial of Service Vulnerability
+---[ Chris McDonough ]-- | This may be true. However, I notice that whomever makes the Foundstone website | can't spell either (Costumer for Customer in the How you found out about | us dropdown). ;-) So... guilty till proven innocent as far as I'm concerned. Don't blame me, I'm not the costumer involved... -- Andrew Milton a...@theinternet.com.au ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )