Brian Lloyd wrote: > Have you tested to ensure that the 2.6.2 (CVS) is still open to the > DoS? If so, could you give me a quick scenario that I could use to > reproduce it?
I haven't tested 2.6.2, I tested CVS HEAD, assuming the code change to both was the validated_hook in Zope/App/startup.py then 2.6.2 is vulnerable as well. The hacky bash script I posted earlier was the test I used, but you can test it just by going to a host running the latest code and appending ?Zope-Version=foo to the URL. If it creates a new, persistent, zodb connection in the version foo, then you can be had. The rule of thumb is: if an anonymous client can force an application server to store persistent data accross transactions, then the server will be vulnerable to a DoS attack. Shane Hathaway wrote: > - Anonymous users can still open a versioned database connection > (although now they can't use it) > - Merely opening a versioned connection consumes resources > - Zope does not free those resources as it should 100% correct. Frankly I'm not entirely convinced anonymous users should ever be able to open a zodb connection, but I have no technical evidence to back that up, its just a hunch. Oliver Bleutgen wrote: > This is not purely aesthetical reasoning, since cookies can be trusted a > bit more than other variables coming from the request. You can't inject > them from third party sites, for instance. Well actually you can inject them from 3rd party sites if the browser is IE, but that probably doesn't come as a surprise to anyone, IE is notoriously insecure. Toby Dickenson wrote: > Ive not tested Jims code, but it looks to me like it *should* stop that > attack. Have you tested it? Yes, you get a 401 now, but by that time the damage has been done. -- Jamie Heilman http://audible.transient.net/~jamie/ "It's almost impossible to overestimate the unimportance of most things." -John Logue _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )