Zope sandbox escape via SecureModuleImporter from Products/PageTemplates/ZRPythonExpr.py
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Undecided
|
Tres Seaver |
Bug Description
During security testing, a privilege escalation flaw was found in Products/
Zope-2.
class _SecureModuleIm
__allow_
def __getitem__(self, module):
mod = safe_builtins[
path = module.split('.')
for name in path[1:]:
mod = getattr(mod, name)
return mod
On zope.2.10.4, the _SecureModuleIm
To deploy the POC, the user has to have privileges to create new zope pages using PageTemplates. The attached POC works only on linux systems and returns a archive containing all the data from /etc, but the function used (popen) could be easily used to run any command.
Since I have no recent zope.2.13 installation, could you please check if the bug is still present in 2.13. That would also show, that the privilege escalation is not only due to some bogus historic zope installation used for testing.
Changed in zope2: | |
milestone: | none → 2.13.17 |
status: | In Progress → Fix Released |
information type: | Private Security → Public Security |
Missing an attachment containing the proof-of-concept.