[Zope-dev] vulnerability in zope 2.10.4

2007-07-11 Thread Andreas Zeidler

hi,

imho i've found a vulnerability in zope 2.10.4 or rather in the newer  
version of five (1.5.5) used by it.  in `Five/browser/ 
pagetemplatefile.py` in line 27 `createTrustedZopeEngine` is used the  
instantiate the page template engine used by five templates, or at  
least this is what i think it does.  the problem with this is that  
`trustedBoboAwareZopeTraverse` (in `PageTemplates/Expressions.py`)  
gets used to traverse path-expressions using `unrestrictedTraverse`  
(line 100), which means that i can access say the title of an  
otherwise private object with a simple

obj/Title.

i ran into this when one of my doctests[1] failed after upgrading  
from zope 2.10.3 to 2.10.4, because it could now access the title,  
even though permissions are explicitly set up beforehand to prevent  
this.  using `createZopeEngine` instead of `createTrustedZopeEngine`  
didn't help with the test, unfortunately, since this would then raise  
an `Unauthorized` right away when rendering the `folder_contents`  
view.  however, if i defer resetting the roles of the test user to  
just before the click on 'Delete' (line 35 in the test), the test  
works again...


i've also just verified this ttw by creating a simple five view and a  
file object.  i can successfully access the title attribute using  
the view, even though view and access contents information  
permissions are set up so only the manager role can access the  
object.  dropping in zope 2.10.3 things work as expected, that is an  
`Unauthorized` exception is raised.


so, unless i'm completely wrong here, i'd say this is a pretty  
serious security whole, no?


cheers,


andi

[1] http://dev.plone.org/plone/browser/plone.app.linkintegrity/trunk/ 
plone/app/linkintegrity/docs/testReferalToPrivateFiles.txt?rev=16003


--
zeidler it consulting - http://zitc.de/ - [EMAIL PROTECTED]
friedelstra├če 31 - 12047 berlin - telefon +49 30 25563779
pgp key at http://zitc.de/pgp - http://wwwkeys.de.pgp.net/
sprint with us! - http://plone.org/events/sprints/potsdam-sprint-2007




PGP.sig
Description: This is a digitally signed message part
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Vulnerability in Zope

2001-09-25 Thread Michael R. Bernstein

On Sun, 2001-09-23 at 17:00, Andy McKay wrote:

 [snip]
 Haven't we been complaining about this automatic appending of
tracebacks for
 a while? To me this is what log files are for but Im not sure what this
 guy is on. I wouldnt count this as a security vulnerability.

Hmm. It's 'side-band' information. Assuming that a cracker could get
arbitrary code to run on the server through some other vulnerability
(say a buffer overflow in some daemon), this information could be
exploited to make their attack on the Zope installation more targeted.

All this is assuming that the cracker in question is very clever, and
has something in mind that is more subtle that simply shutting the
server down, because if they can get arbitrary code to run on the
server, it's toast anyway.

An example of a subtle attack would be re-writing an e-commerce product
so that any credit-card information would get silently copied and
forwarded elsewhere.

In short, the principle here is that *given* that some other
vulnerability could give a cracker access to the server in some way, you
still don't want to give them any more information on the server
configuration than you have to.

Michael Bernstein.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Vulnerability in Zope

2001-09-24 Thread seb bacon

* Andy McKay [EMAIL PROTECTED] [010924 01:11]:
 Haven't we been complaining about this automatic appending of tracebacks for
 a while? To me this is what log files are for but Im not sure what this
 guy is on. I wouldnt count this as a security vulnerability.

It's not an exploitable vulnerability (which is the only sort of
vulnerability in my book ;) but it's as ugly as a warthog, and it would
be nice to arrange things more gracefully.

seb

 
 - Original Message -
 From: Chris Withers [EMAIL PROTECTED]
 To: Paul Everitt [EMAIL PROTECTED]; ALife [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Sent: Sunday, September 23, 2001 10:44 AM
 Subject: Re: [Zope-dev] Vulnerability in Zope
 
 
   Do others consider this a vulnerability?
 
  Yup... especially given the hard-coded (sigh) error page returned for
  authentication error gives out this information :-(
 
  Chris
 

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Vulnerability in Zope

2001-09-24 Thread Chris Withers

seb bacon wrote:
 
 * Andy McKay [EMAIL PROTECTED] [010924 01:11]:
  Haven't we been complaining about this automatic appending of tracebacks for
  a while? To me this is what log files are for but Im not sure what this
  guy is on. I wouldnt count this as a security vulnerability.
 
 It's not an exploitable vulnerability (which is the only sort of
 vulnerability in my book ;) but it's as ugly as a warthog, and it would
 be nice to arrange things more gracefully.

I just had a _really_ bad attack of Deja Vu reading this thread :-S

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] Vulnerability in Zope

2001-09-23 Thread ALife

Found vulnerability: retrieve a full path to local files in Zope.

---[ Example 1 (Linux):

telnet www.zope.org 80

PROPFIND / HTTP/1.0

F
G
H
J
K
L
HTTP/1.0 500 Internal Server Error
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Mon, 10 Sep 2001 15:38:59 GMT
Content-Length: 7058
Ms-Author-Via: DAV
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
Sheets.py
Bobo-Exception-Type: TypeError
Content-Length: 7058
Ms-Author-Via: DAV
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
Sheets.py
Bobo-Exception-Type: TypeError
Content-Type: text/html
Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//
EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML  HEAD  TITLEWelcome
to Zope.org/TITLE   link rel=stylesheet href=http://www.zope.org/zope_css;
 type=text/css   /HEAD   BODY B
Bobo-Exception-Line: 369


...


 !--
 Traceback (innermost last):
  File /usr/local/base/Zope-2.3.2-modified/l
ib/python/ZPublisher/Publish.py, line 223, in publish_module
  File /usr/local/ba
se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish
   F
ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i
n zpublisher_exception_hook
   (Object: ApplicationDefaultPermissions)
File /us
r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in
publish
 File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p
y, line 160, in mapply
  (Object: PROPFIND)
  File /usr/local/base/Zope-2.3.2-mo
dified/lib/python/ZPublisher/Publish.py, line 112, in call_object
 (Object: PR
OPFIND)
 File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py,
 line 222, in PROPFIND
  (Object: ApplicationDefaultPermissions)
   File /usr/loc
al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply
  Fi
le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i
n apply
 File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py,
line 219, in apply
File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d
avcmds.py, line 219, in apply
   File /usr/local/base/Zope-2.3.2-modified/lib/pyth
on/webdav/davcmds.py, line 175, in apply
  File /usr/local/base/Zope-2.3.2-modifi
ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop
  (Object: Virtu
al)
   TypeError: (see above)

 --
Host has closed connection.

---[ Example 2 (Linux):
telnet www.zope.com 80

 / HTTP/1.0
or NOTREALCOMMAND / HTTP/1.0


HTTP/1.0 404 Not Found
Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
Date: Fri, 21 Sep 2001 12:51:48 GMT
Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H
TTPResponse.py
Content-Type: text/html
Bobo-Exception-Type: NotFound
Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//
EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML  HEAD  TITLEWelcome
to Zope.org/TITLE   link rel=stylesheet href=http://www.zope.org/zope_css;
 type=text/css   /HEAD   BODY B
Content-Length: 5845
Bobo-Exception-Line: 547

 ... 

 !--
 Traceback (innermost last):
  File /
usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i
n publish_module
  File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher
/Publish.py, line 187, in publish
   File /usr/local/base/Zope-2.3.2-modified/lib/
python/Zope/__init__.py, line 221, in zpublisher_exception_hook
   (Object: Appl
icationDefaultPermissions)
File /usr/local/base/Zope-2.3.2-modified/lib/python/
ZPublisher/Publish.py, line 173, in publish
 File /usr/local/base/Zope-2.3.2-mod
ified/lib/python/ZPublisher/HTTPResponse.py, line 308, in setBody
   File /usr/loc

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Paul Everitt


Do others consider this a vulnerability?  While it reveals more 
information than people might want, I'm curious about scenarios under 
which it could be exploited.

If any of you know of something *specific*, meaning it's a genuinely 
exploitable vulnerability, please email me or Brian Lloyd 
([EMAIL PROTECTED]) directly, rather than explain to the world how to do it.

--Paul

ALife wrote:

 Found vulnerability: retrieve a full path to local files in Zope.
 
 ---[ Example 1 (Linux):
 
 telnet www.zope.org 80
 
 PROPFIND / HTTP/1.0
 
 F
 G
 H
 J
 K
 L
 HTTP/1.0 500 Internal Server Error
 Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
 Date: Mon, 10 Sep 2001 15:38:59 GMT
 Content-Length: 7058
 Ms-Author-Via: DAV
 Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
 Sheets.py
 Bobo-Exception-Type: TypeError
 Content-Length: 7058
 Ms-Author-Via: DAV
 Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property
 Sheets.py
 Bobo-Exception-Type: TypeError
 Content-Type: text/html
 Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//
 EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML  HEAD  TITLEWelcome
 to Zope.org/TITLE   link rel=stylesheet href=http://www.zope.org/zope_css;
  type=text/css   /HEAD   BODY B
 Bobo-Exception-Line: 369
 
 
 ...
 
 
  !--
  Traceback (innermost last):
   File /usr/local/base/Zope-2.3.2-modified/l
 ib/python/ZPublisher/Publish.py, line 223, in publish_module
   File /usr/local/ba
 se/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 187, in publish
F
 ile /usr/local/base/Zope-2.3.2-modified/lib/python/Zope/__init__.py, line 221, i
 n zpublisher_exception_hook
(Object: ApplicationDefaultPermissions)
 File /us
 r/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 171, in
 publish
  File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/mapply.p
 y, line 160, in mapply
   (Object: PROPFIND)
   File /usr/local/base/Zope-2.3.2-mo
 dified/lib/python/ZPublisher/Publish.py, line 112, in call_object
  (Object: PR
 OPFIND)
  File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/Resource.py,
  line 222, in PROPFIND
   (Object: ApplicationDefaultPermissions)
File /usr/loc
 al/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, in apply
   Fi
 le /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py, line 219, i
 n apply
  File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/davcmds.py,
 line 219, in apply
 File /usr/local/base/Zope-2.3.2-modified/lib/python/webdav/d
 avcmds.py, line 219, in apply
File /usr/local/base/Zope-2.3.2-modified/lib/pyth
 on/webdav/davcmds.py, line 175, in apply
   File /usr/local/base/Zope-2.3.2-modifi
 ed/lib/python/OFS/PropertySheets.py, line 369, in dav__allprop
   (Object: Virtu
 al)
TypeError: (see above)
 
  --
 Host has closed connection.
 
 ---[ Example 2 (Linux):
 telnet www.zope.com 80
 
  / HTTP/1.0
 or NOTREALCOMMAND / HTTP/1.0
 
 
 HTTP/1.0 404 Not Found
 Server: Zope/Zope 2.3.2 (source release, python 1.5.2, linux2) ZServer/1.1b1
 Date: Fri, 21 Sep 2001 12:51:48 GMT
 Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/H
 TTPResponse.py
 Content-Type: text/html
 Bobo-Exception-Type: NotFound
 Bobo-Exception-Value: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//
 EN http://www.w3.org/TR/REC-html40/loose.dtd; HTML  HEAD  TITLEWelcome
 to Zope.org/TITLE   link rel=stylesheet href=http://www.zope.org/zope_css;
  type=text/css   /HEAD   BODY B
 Content-Length: 5845
 Bobo-Exception-Line: 547
 
  ... 
 
  !--
  Traceback (innermost last):
   File /
 usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher/Publish.py, line 223, i
 n publish_module
   File /usr/local/base/Zope-2.3.2-modified/lib/python/ZPublisher
 /Publish.py, line 187, in publish
File /usr/local/base/Zope-2.3.2-modified/lib/
 python/Zope/__init__.py, line 221, in zpublisher_exception_hook

Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Jerome Alet

On Sun, Sep 23, 2001 at 10:36:33AM -0400, Paul Everitt wrote:
 
 Do others consider this a vulnerability?  While it reveals more 
 information than people might want, I'm curious about scenarios under 
 which it could be exploited.
 
 If any of you know of something *specific*, meaning it's a genuinely 
 exploitable vulnerability, please email me or Brian Lloyd 
 ([EMAIL PROTECTED]) directly, rather than explain to the world how to do it.
 ...
 ...
  Bobo-Exception-File: /usr/local/base/Zope-2.3.2-modified/lib/python/OFS/Property

Think about social engeniering.
Knowing this sort of things, while this is not a vulnerability in itself,
allows everybody to remotely know were Data.fs is.

bye,

Jerome Alet


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Chris Withers

 Do others consider this a vulnerability?

Yup... especially given the hard-coded (sigh) error page returned for
authentication error gives out this information :-(

Chris



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Vulnerability in Zope

2001-09-23 Thread Andy McKay

Haven't we been complaining about this automatic appending of tracebacks for
a while? To me this is what log files are for but Im not sure what this
guy is on. I wouldnt count this as a security vulnerability.

- Original Message -
From: Chris Withers [EMAIL PROTECTED]
To: Paul Everitt [EMAIL PROTECTED]; ALife [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, September 23, 2001 10:44 AM
Subject: Re: [Zope-dev] Vulnerability in Zope


  Do others consider this a vulnerability?

 Yup... especially given the hard-coded (sigh) error page returned for
 authentication error gives out this information :-(

 Chris



 ___
 Zope-Dev maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists -
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope )




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )