Zope Application Server Through the Web Code Input Validation Bug May Let Remote Users Shut Down the Server
|
|
SecurityTracker Alert ID: 1005302
|
|
CVE Reference: CVE-2002-0687
(Links to External Site)
|
Updated: Dec 15 2003
|
Original Entry Date: Sep 27 2002
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 2.4.4b2 and 2.5.1b2.
|
Description: A vulnerability was reported in the Zope web application server. A remote user could cause a Zope server to shut down.
It is reported that a remote user can inject special headers into the response to cause the server to shut down.
This vulnerability
applies to configurations that allow untrusted users to write "through the web" code using features such as Python Scripts, DTML
Methods, or Page Templates.
|
Impact: A remote user can cause the server to shut down.
|
Solution: The vendor has released a fix (Hotfix_2002-04-15), available at:
http://www.zope.org/Products/Zope/Products/Zope/Hotfix_2002-04-15
|
Vendor URL: www.zope.org/Products/Zope/Hotfix_2002-04-15/README.txt (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 26 Sep 2002 01:43:27 -0400
Subject: Zope bug (Hotfix_2002-04-15)
|
http://www.zope.org/Products/Zope/Products/Zope/Hotfix_2002-04-15
http://www.zope.org/Products/Zope/Hotfix_2002-04-15/README.txt
CAN-2002-0687
Hotfix_2002-04-15
This is a "hotfix" product. Hotfix products can be installed to
incorporate modifications to Zope at runtime without requiring an
immediate installation upgrade. Hotfix products are installed just
as you would install any other Zope product.
This hotfix addresses an important security issue that may effect
some users of all Zope versions prior to 2.4.4b2 and 2.5.1b2.
The issue involves a vulnerability involving "through the web code"
inadvertently allowing an untrusted user to remotely shut down a
Zope server by allowing the user to inject special headers into the
response. If you allow untrusted users to write "through the web"
code like Python Scripts, DTML Methods, or Page Templates, your Zope
server is vulnerable.
We highly recommend that any Zope site have this hotfix product
installed to mitigate the issue. Zope 2.5.1b2 and 2.4.4b2 as
well as subsequent Zope release versions will contain a fix for the
issue, at which time the hotfix can be removed.
---------
Hotfix_2002-04-15
This hotfix addresses an important security issue that may affect
some users of Zope versions 2.0 through 2.5.1 b1.
The issue involves a vulnerability involving "through the web code"
inadvertently allowing an untrusted user to remotely shut down a Zope
server by allowing the user to inject special headers into the response.
If you allow untrusted users to write "through the web" code like Python
Scripts, DTML Methods, or Page Templates, your Zope server is
vulnerable.
We highly recommend that any Zope site have this hotfix product
installed to mitigate the issue. Zope 2.5.1b2 and 2.4.4b2 as well as
subsequent Zope release versions will contain a fix for the issue, at
which time the hotfix can be removed.
http://www.zope.org/Products/Zope/Hotfix_2002-04-15/Hotfix_2002-04-15.tgz
|
|
