Anonymous can crash Zope2.10 and 2.11

Reported by Patrick Gerken on 2010-09-01
This bug report is a duplicate of:  Bug #373621: [DM] Worker threads leaking. Edit Remove
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Zope 2
Medium
Tres Seaver

Bug Description

This has been observed with regular plone installations, but the root cause is in zope.

The easiest way to trigger this behaviour, is buildout.

Create this buildout.cfg:

[buildout]
extends=http://svn.plone.org/svn/collective/buildout/plonetest/plone-3.3.5.cfg

Get yourself a copy of bootstrap.py and run buildout.

* Start Zope
* Create a new Plone site
* Add a new page, make it private.
* Log out
* As anonymous, manually craft the following URL: http://yoursite/plone/new_page?came_from:list=123

As the page is private and can not be accessed by anonymous users a bug in the PAS code will trigger an exception. This exception does not get caught, causing the thread to be killed.
Doing this repeatedly allows one to kill all threads thus causing a denial of service. Note that the Zope process itself will continue to run.

This problem does not occur with Zope 2.12. There The ZServer has a catchall exception handler that covers the issue.

I created a branch from the 2.10 branch:
svn+ssh://<email address hidden>/repos/main/Zope/branches/do3cc_catchall

It contains the same changes as they happened in Zope 2.12. On retrying the above procedure, the user does not get any answer, but the thread also does not die.

I'll mark this issue as a security vulnerability because I want the bug to be private.

This bug was originally reported by somebody else.

CVE References

Patrick Gerken (do3cc) on 2010-09-01
description: updated
Christian Theune (ct-gocept) wrote :

Try to improve wording on reproduction steps after talking with Patrick on IRC.

description: updated
Patrick Gerken (do3cc) wrote :

I forgot a full traceback

Unhandled exception in thread started by <class ZServer.PubCore.ZServerPublisher.ZServerPublisher at 0x7f414edc6cb0>
Traceback (most recent call last):
  File "/home/patrick/.virtualenvs/denso.intranet/parts/zope2/lib/python/ZServer/PubCore/ZServerPublisher.py", line 29, in __init__
    response=b)
  File "/home/patrick/.virtualenvs/denso.intranet/parts/zope2/lib/python/ZPublisher/Publish.py", line 401, in publish_module
    environ, debug, request, response)
  File "/home/patrick/.virtualenvs/denso.intranet/parts/zope2/lib/python/ZPublisher/Publish.py", line 212, in publish_module_standard
    request.response.exception()
  File "/home/patrick/.virtualenvs/denso.intranet/parts/zope2/lib/python/ZPublisher/HTTPResponse.py", line 732, in exception
    self._unauthorized()
  File "/home/patrick/.virtualenvs/denso.intranet/eggs/Products.PluggableAuthService-1.6.1-py2.4.egg/Products/PluggableAuthService/PluggableAuthService.py", line 1013, in _unauthorized
    if not self.challenge(req, resp):
  File "/home/patrick/.virtualenvs/denso.intranet/eggs/Products.PluggableAuthService-1.6.1-py2.4.egg/Products/PluggableAuthService/PluggableAuthService.py", line 1052, in challenge
    if challenger.challenge(request, response):
  File "/home/patrick/.virtualenvs/denso.intranet/eggs/Products.PluggableAuthService-1.6.1-py2.4.egg/Products/PluggableAuthService/plugins/CookieAuthHelper.py", line 145, in challenge
    return self.unauthorized()
  File "/home/patrick/.virtualenvs/denso.intranet/eggs/Products.PluggableAuthService-1.6.1-py2.4.egg/Products/PluggableAuthService/plugins/CookieAuthHelper.py", line 213, in unauthorized
    url = url + '?came_from=%s' % quote(came_from)
  File "/home/patrick/python/python-2.4.6/lib/python2.4/urllib.py", line 1121, in quote
    res = map(safe_map.__getitem__, s)

description: updated
description: updated

> ** Description changed:
>
> This has been observed with regular plone installations, but the root
> cause is in zope.

This bug has been assigned the reference CVE-2010-3198

Matthew

Tres Seaver (tseaver) wrote :
Changed in zope2:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Tres Seaver (tseaver)
milestone: none → 2.10.12
Tres Seaver (tseaver) wrote :

lp:373621 is already marked "Fix Released" for the 2.12 release line. I will be working to land this
fix in new 2.10.12 and 2.11.7 releases.

Tres Seaver (tseaver) wrote :
Changed in zope2:
status: Confirmed → Fix Committed
Tres Seaver (tseaver) wrote :
Changed in zope2:
status: Fix Committed → Fix Released
Tres Seaver (tseaver) on 2010-09-02
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers