Zope Security advisory 2008-08-12
August 2018
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
About
This site is an effort to share some of the base knowledge I have gathered through all this years working with Linux, FreeBSD, OpenBSD, Python or Zope, among others. So, take a look around and I hope you will find the contents useful.
Recent Entries
Recent Comments
Recent Trackbacks
Categories
OpenBSD (9 items)
BSD (0 items)
FreeBSD (19 items)
Linux (3 items)
Security (3 items)
Python (22 items)
Zope (13 items)
Daily (144 items)
e-shell (9 items)
Hacks (14 items)
PostgreSQL (3 items)
OSX (8 items)
Nintendo DS (0 items)
enlightenment (0 items)
Apache (3 items)
Nintendo Wii (1 items)
Django (24 items)
Music (12 items)
Plone (7 items)
Varnish (0 items)
Lugo (2 items)
Sendmail (0 items)
europython (7 items)
Cherokee (1 items)
self (1 items)
Nature (1 items)
Hiking (0 items)
uwsgi (0 items)
nginx (0 items)
cycling (10 items)
Networking (1 items)
DNS (0 items)
Archives

Syndicate this site (XML)

RSS/RDF 0.91

25 agosto
2008

Zope Security advisory 2008-08-12

it is not too dangerous anyway...
[Zope] 

From http://www.zope.org/advisories/advisory-2008-08-12 :

PythonScripts in Zope 2 can be misused for shutting down
a complete Zope 2 instance or misused for a local denial-
of-service attack. This issue affects only those Zope 2
instances where users have unrestricted access to the ZMI
and the ability to edit PythonScripts. This should
usually not be the case for instances where the Manager
access is granted only to trusted persons.

Anyway it is not too dangerous, because you usually do not give manager access to untrusted users. Luckily, install the patch that solves the problem is as easy as download it, put it inside your instance Products folder and restart your Zope instance.

(More information in the README file)

(Ah!, and exploiting the bug is pretty easy once you have manager access, I did some tests by myself some hours ago and all were successful)

Posted by wu at 17:36 | Comments (0) | Trackbacks (0)
<< How to get a list of months using python | Main | setuptools and plone buildout >>
Comments
There are no comments.
Trackbacks
Please send trackback to:http://blog.e-shell.org/95/tbping
There are no trackbacks.
Post a comment