Tutorial - Zope Vulnerabilities

Zope Vulnerabilities

Updated 10/4/02
CVE 2000-0062
CVE 2000-0483
CVE 2000-0725
CVE 2001-0128
CAN 2001-0568
CVE 2001-1227
CAN 2001-1278
CVE 2002-0170
CVE 2002-0687
CVE 2002-0688

Impact

Multiple vulnerabilities could allow a remote attacker to perform unauthorized actions on the server.

Background

Zope is a web application server which comes with support for membership, search, and news. The package includes an internet server, a transactional object database, and other components. Zope also features ZClasses, user-defined extensions to Zope's set of object types which can be created over the web.

The Problems

ZCatalog Vulnerability

10/4/02
CVE 2002-0688
A flaw in the security settings of ZCatalog objects could allow anonymous users or untrusted code to call arbitrary methods of catalog indexes. Zope 2.5.1 and earlier are affected by this vulnerability if ZCatalog's plug-in index support is enabled.

Server Shutdown Vulnerability

10/4/02
CVE 2002-0687
If the Zope server allows "through the web" code such as Python scripts, DTML methods, or page templates, a remote untrusted user could shut down the server by injecting specially crafted headers into the response. Zope 2.4.x versions prior to 2.4.4 beta 2 and Zope 2.5.x versions prior to 2.5.1 beta 2 are affected by this vulnerability.

Ownership Roles Enforcement Vulnerability

3/8/02
CVE 2002-0170
Due to an issue involving the checking of security for objects with proxy roles, users defined in subfolders of a site could access objects at higher levels that they should not have permission to access. Zope versions 2.5.1b1, 2.5.0, and 2.2.0 through 2.4.3 are affected by this vulnerability.

Method Execution through DTML tags

3/8/02
CVE 2001-1227
CAN 2001-1278
In versions 2.2.0 through 2.4.1, Zope does not check the permissions of a method invoked through the fmt attribute of a DTML tag. This could allow users with limited access to methods that they should not have permission to access.

Vulnerability in ZClasses

2/27/01
CAN 2001-0568
In Zope version 2.3.1 b1 and earlier, a user with through-the-web scripting capabilities can view and assign class attributes to ZClasses, possibly allowing them to make inappropriate changes to ZClass instances.

Vulnerability in DocumentTemplate Package

2/27/01
CVE 2000-0483
An inadequately protected method in one of the base classes in the DocumentTemplate package could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. All Zope versions prior to 2.1.7, and Zope 2.2 beta versions prior to 2.2 beta 1 are affected by this vulnerability.

Vulnerability in Local Role calculation

2/27/01
CVE 2001-0128
A vulnerability in the calculation of Local Roles in Zope 2.2.4 and earlier could allow a local user to gain privileges. Zope fails to properly check for folder hierarchy when calculating local roles. A local attacker could use this vulnerability to gain unauthorized access to folders.

Vulnerability in getRoles

2/27/01
CVE 2000-0725
A vulnerability in the getRoles method of user objects contained in the default UserFolder implementation could allow users with the ability to edit DTML to give themselves extra roles for the duration of a single request. All Zope versions prior to 2.2.1 beta 1 are affected by this vulnerability.

Vulnerability in DTML Implementation

2/27/01
CVE 2000-0062
A problem in the DTML implementation in Zope 2.x versions prior to 2.1.2 and Zope 1.x versions prior to 1.10.4 could allow an attacker to perform unauthorized activities on the server.

Resolution

Upgrade to the latest version of Zope. If that version is 2.5.1 (stable release) also install the Hotfix.

For users who are unable or do not wish to upgrade, hotfixes have been made available to fix each of the above vulnerabilities.

Where can I read more about this?

The ZCatalog vulnerability was reported in a Zope Security Alert. The Server Shutdown vulnerability was reported in a Zope Security Alert. The Ownership Roles Enforcement was reported in a Zope Security Alert. The method execution through DTML tags was reported in another Zope Security Alert. The ZClasses vulnerability was also reported in a Zope Security Alert. The DocumentTemplate problem was reported in a Zope Security Alert. The vulnerability in the calculation of Local Roles was reported in an X-Force Advisory. The getRoles problem was reported in a Zope Security Alert. The DTML problem was reported in an X-Force Advisory.

For general information about Zope, see An Introduction to Zope by Brian Lloyd.