Hello,

after Chris Withers lightning talk at EPC 2008 I had a closer look
at the implementation of Python Scripts in Zope 2.11.

While I have not yet been able to break out of the restricted
environment without help from installed products, there are a few
denial-of-service attacks which can easily be deployed on sites
allowing adding Python Scripts to a user folder:

1. Attack:

Put this into a "Script (Python)" object and run it:

return 'kaboom'.encode('test.testall')

This results in a denial-of-service, since Zope will hang
running the Python test suite.

The reason for this is a problem in the way the encoding search
function works in Python 2.4. This was changed in 2.5 to no longer
allow searching for codecs outside the encodings package.


2. Attack:

Put this into a "Script (Python)" object and run it:

raise SystemExit

This shuts down Zope.

The Python Script environment should obviously catch such exceptions
and not let them propagate up the call stack.


I found the second attack rather surprising, as it doesn't require
deep knowledge about Python's interna.

Regards,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 12 2008)
 >>> Python/Zope Consulting and Support ...        http://www.egenix.com/
 >>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::


    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
            Registered at Amtsgericht Duesseldorf: HRB 46611
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to