Guide CMS

You are here: Home → All CMS → Z → Zope → News → Security advisory 2008-08-12

Security advisory 2008-08-12

Critical errors in Zope 2 PythonScripts

News from Zope Website

Synopsis:

PythonScripts in Zope 2 can be misused for shutting down a complete Zope 2 instance or misused for a local denial-of-service attack. This issue affects only those Zope 2 instances where users have unrestricted access to the ZMI and the ability to edit PythonScripts. This should usually not be the case for instances where the Manager access is granted only to trusted persons.

Affected versions:

all Zope 2.X versions

Related bug reports:

https://bugs.launchpad.net/zope2/+bug/257276
https://bugs.launchpad.net/zope2/+bug/257269

Actions to be taken:

verify that only trusted users can access the ZMI of your Zope instances

Hotfix for Zope 2.7 - Zope 2.11:

http://www.zope.org/advisories/Hotfix_20080812.tar.gz
Hotfix README

Credits:

Philipp von Weiterhausen and Marc-Andre Lemburg gave valuable hints for resolving this issue.