Anonymous can crash Zope2.10 and 2.11
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Medium
|
Tres Seaver |
Bug Description
This has been observed with regular plone installations, but the root cause is in zope.
The easiest way to trigger this behaviour, is buildout.
Create this buildout.cfg:
[buildout]
extends=http://
Get yourself a copy of bootstrap.py and run buildout.
* Start Zope
* Create a new Plone site
* Add a new page, make it private.
* Log out
* As anonymous, manually craft the following URL: http://
As the page is private and can not be accessed by anonymous users a bug in the PAS code will trigger an exception. This exception does not get caught, causing the thread to be killed.
Doing this repeatedly allows one to kill all threads thus causing a denial of service. Note that the Zope process itself will continue to run.
This problem does not occur with Zope 2.12. There The ZServer has a catchall exception handler that covers the issue.
I created a branch from the 2.10 branch:
svn+ssh://<email address hidden>
It contains the same changes as they happened in Zope 2.12. On retrying the above procedure, the user does not get any answer, but the thread also does not die.
I'll mark this issue as a security vulnerability because I want the bug to be private.
This bug was originally reported by somebody else.
CVE References
description: | updated |
description: | updated |
visibility: | private → public |
Try to improve wording on reproduction steps after talking with Patrick on IRC.