This may be true. However, I notice that whomever makes the Foundstone website can't spell either ("Costumer" for "Customer" in the "How you found out about us" dropdown). ;-) So... guilty till proven innocent as far as I'm concerned.
- C On 7/19/09 11:45 PM, Ricardo Newbery wrote: > > It might be premature to blame this on Foundstone. I can't seem to find > this security advisory online at all. No advisory id was included nor > any reference at all and the recommendation doesn't look at all like > what usually comes from a legit advisory. I smeil a fake. > > Ric > > > > On Jul 19, 2009, at 7:55 PM, Chris McDonough wrote: > >> I just sent the below via >> http://www.foundstone.com/us/contact-form.aspx . I'd >> suggest that others do the same; this company is totally wrong about this >> conclusion... >> >> You recently issued a security warning to the effect: >> >> """ >> = Name = >> >> Zope HTTP Request Denial of Service Vulnerability >> >> = Description = >> >> A vulnerability in Zope may allow a remote attacker to manually >> shutdown the system. >> >> = Observation = >> >> The Zope Web Content Management system has been identified with a >> critical >> denial of service vulnerability. A malicious attacker could manually >> shutdown >> the target system remotely via a custom web HTTP field request. This >> vulnerability is especially dangerous as the "kill" packet can be >> completely >> forged thereby increasing the difficulty when tracking would be >> intruders and >> attackers. >> >> = Recommendation = >> >> Although the Zope development environment is one of the largest and >> most widely >> supported open source web content management solutions, it has been >> plagued with >> exploitable vulnerabilities. Due to the nature of the software and >> shear number >> of vulnerabilities, Foundstone Labs recommends you consider utilizing a >> different content management solution and at a minimum upgrade your >> software. >> Zope updates can be freely downloaded from www.zope.org >> """ >> >> Your conclusion here is wrong. This particular "vulnerability" is for >> Zope >> installations who offer the ability for *untrusted users* to add code >> through >> the web. This is not the default setup; a user needs to explicitly >> enable such >> a setup. The conclusion is akin to saying that people should not use Zope >> because they might do something bad to Zope if they have access to the >> administrative interface. This is the case with *any* application >> server or >> content management system. >> >> I'd suggest getting a little more knowledge about your material before >> scaring >> folks. The Zope folks do full-disclosure of all vulnerabilities; it's >> up to you >> to discern the "scary" ones from the "ho hum" ones. This is definitely >> a ho-hum >> one, and in no way deserves this conclusion. >> >> On 7/19/09 10:42 PM, Chris McDonough wrote: >>> I have no idea who "Foundstone Labs" is, nor if the denial of service >>> vulnerability they're talking about is indeed the one fixed by >>> http://www.zope.org/advisories/advisory-2008-08-12/ but: >>> >>> a) if it is, if you read it closely, you'll note that it's for Zope >>> instances >>> where untrusted users have unrestricted access to the ZMI and the >>> ability to add >>> Python Scripts. Do you have such a setup? >>> >>> b) Zope has historically been *very* secure; this company is utterly, >>> completely, and hopelessly clueless (nor can they spell "sheer"). If >>> you want >>> *real* security horror, I'd suggest taking their advice and >>> "upgrading" to any >>> PHP based solution. ;-) >>> >>> - C >>> >>> >>> On 7/19/09 10:06 PM, TsungWei Hu wrote: >>>> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a >>>> security notice as follows. Is it sufficient to fix this just >>>> installing >>>> http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ >>>> >>>> = Name = >>>> >>>> Zope HTTP Request Denial of Service Vulnerability >>>> >>>> = Description = >>>> >>>> A vulnerability in Zope may allow a remote attacker to manually >>>> shutdown >>>> the system. >>>> >>>> = Observation = >>>> >>>> The Zope Web Content Management system has been identified with a >>>> critical denial of service vulnerability. A malicious attacker could >>>> manually shutdown the target system remotely via a custom web HTTP >>>> field >>>> request. This vulnerability is especially dangerous as the "kill" >>>> packet >>>> can be completely forged thereby increasing the difficulty when >>>> tracking >>>> would be intruders and attackers. >>>> >>>> = Recommendation = >>>> >>>> Although the Zope development environment is one of the largest and >>>> most >>>> widely supported open source web content management solutions, it has >>>> been plagued with exploitable vulnerabilities. Due to the nature of the >>>> software and shear number of vulnerabilities, Foundstone Labs >>>> recommends >>>> you consider utilizing a different content management solution and at a >>>> minimum upgrade your software. Zope updates can be freely downloaded >>>> from www.zope.org<http://www.zope.org> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> Zope maillist - Zope@zope.org >>>> http://mail.zope.org/mailman/listinfo/zope >>>> ** No cross posts or HTML encoding! ** >>>> (Related lists - >>>> http://mail.zope.org/mailman/listinfo/zope-announce >>>> http://mail.zope.org/mailman/listinfo/zope-dev ) >>> >>> _______________________________________________ >>> Zope maillist - Zope@zope.org >>> http://mail.zope.org/mailman/listinfo/zope >>> ** No cross posts or HTML encoding! ** >>> (Related lists - >>> http://mail.zope.org/mailman/listinfo/zope-announce >>> http://mail.zope.org/mailman/listinfo/zope-dev ) >>> >> >> _______________________________________________ >> Zope maillist - Zope@zope.org >> http://mail.zope.org/mailman/listinfo/zope >> ** No cross posts or HTML encoding! ** >> (Related lists - >> http://mail.zope.org/mailman/listinfo/zope-announce >> http://mail.zope.org/mailman/listinfo/zope-dev ) > _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )