Anonymous arbitrary shell execution possible via URL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Critical
|
Tres Seaver |
Bug Description
The application root object has a p_ attribute, which is a reference to the OFS.misc_.p_ class. This class is used to define a bunch of static resources (icons, "Powered by Zope" banners etc). In order to compute the correct paths for the images, some modules are imported to allow access to their __file__ attribute. The webdav module, which is imported to locate the davlock.gif image has a docstring and is thus publishable.
It's possible to get from the webdav module to os (webdav/
Note that not all methods are publishable (eg os.system), as Zope is unable to enumerate the parameters required. I've tested this on 2.12 and 2.10, it appears 2.10 is not vulnerable as it always attempts to wrap objects when publishing (ie objects without an __of__ method can never be published)
Simple example:
http://
CVE References
Changed in zope2: | |
milestone: | none → 2.12.20 |
Changed in zope2: | |
status: | In Progress → Fix Released |
visibility: | private → public |
Hmm. Nobody picking this up? I can try to take a stab at this but probably not in this week.