It should be noted that doing this may make it less likely for a general purpose automated scanner like Foundstone (or Nessus or any vulnerability scanner) from finding your deployment, but it does not fix the app from the issue that the scanner was checking for. This may or may not be an appropriate action, depending on your environment. "Good Guy" scanners like our product usually have to try to determine if a site is vulnerable in non-intrusive ways, such as checking banners. Bad guys scanners often send the exploit regardless of version. They have no problem causing damage by sending potentially dangerous inputs to your application. By changing the banner, you may be preventing good guys from seeing the issue and attempting to fix the issue without preventing bad guys from exploiting the issue.
In any case, since this was done in 2002, it's unlikely the specific issue in question is very relevant on either side. -----Original Message----- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 10:22 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability That's why I usually override the Server: HTTP header from within my Zope apps for public sites running on Zope :-) Andreas On 24.07.09 19:15, ryan_per...@mcafee.com wrote: > Ok, the final analysis is as follows: > > We had an incorrect version regex that matched 2.10 the same as 2.1. This > issue seems to only affect zope version 2.0 through 2.5.01. This lead to the > vulnerability showing up with recent versions of zope being scanned. > > We are fixing both the regex and the suggested fix. The new suggested fix > will be to update to the appropriate version of zope (in this case, post > 2.5.01), not to replace it with something else. This fix should be updated > within the next week or so. > > If you have any further questions pertaining to McAfee (or Foundstone) > security reports, please feel free to contact me directly, or via > secur...@mcafee.com. I am not a full time member of this list, so I may not > see any replies or questions made only to the list. > > > -----Original Message----- > From: Permeh, Ryan > Sent: Friday, July 24, 2009 9:53 AM > To: li...@zopyx.com > Cc: zope@zope.org > Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability > > It is not related the specified hotfix. I'm getting details now, but this is > how it seems: > 1. this is from the Foundstone product, not a public advisory. The > Foundstone product is a vulnerability scanner, and it seems that it feels > that the original poster's site is vulnerable to the stated issue. > 2. The vulnerability check was written and published in 2002. > 3. I am looking into details regarding both what the details of this issue > originally were, and what we look for to trigger it's existence. > > This leads to a couple observations. > > 1. This is likely a false positive, unless the original poster was running > ridiculously old software. > 2. We will fix the check logic or remove the check entirely. Checks > this old rarely add much value to the product 3. In any case, if the check > stays, we will update the text. I'm not sure who wrote the original text in > 2002, but it obviously doesn't apply now. > > > -----Original Message----- > From: Andreas Jung [mailto:li...@zopyx.com] > Sent: Friday, July 24, 2009 9:43 AM > To: Permeh, Ryan > Cc: zope@zope.org > Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability > > Hi, > > > > > On 24.07.09 18:24, ryan_per...@mcafee.com wrote: > >> I manage product security at McAfee, of which Foundstone is a part. I am >> not aware of releasing such an advisory, and am looking into this. Could we >> get details regarding where this was found? Was this posted to a web site? >> A security mailing list? And when was it posted? This may have a very >> different meaning if it was published in 2001 or something like that. >> Alternately, Foundstone produces a vulnerability management software, was >> this in a report generated by that product? >> >> >> > I have no idea what you are talking about. > > We had this strange mail thread this week: > > http://mail.zope.org/pipermail/zope/2009-July/175308.html > > related to this hotfix > > http://www.zope.org/Products/Zope/Hotfix-2008-08-12 > > Now how is this related to " HTTP Request Denial of Service Vulnerability" ??? > > I can not find anything related to the subject within the list of our > hotfixes (which is pretty small since 2000): > > _______________________________________________ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) > -- ZOPYX Ltd. & Co KG \ ZOPYX & Friends Charlottenstr. 37/1 \ The experts for your Python, Zope and D-72070 Tübingen \ Plone projects www.zopyx.com, i...@zopyx.com \ www.zopyx.de/friends, frie...@zopyx.de ------------------------------------------------------------------------ E-Publishing, Python, Zope & Plone development, Consulting _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
