Subject: Insecure XML-RPC handling in Zope reveals the distribution physi= c al=20 location. Date: Tue, 1 Oct 2002 09:57:27 -0400 From: Rossen Raykov <Rossen.Raykov@CognicaseUSA.com> To: "BugTraq (E-mail)" <bugtraq@securityfocus.com> Zope versions pre 2.5.1b2 do not handle correct some XML-RPC request. 1. Summary: Zope (www.zope.org) will reveal the complete physical location where the server and its components are installed if it receives "incorrect" XML-RP= C requests. In some cases it will reveal also information about the serves in the protected LAN (10.x.x.x for example) on which current server is relaying. 2. Details: A request like the quoted below will cause Zope to produce stack traces i= n the response that will reveal the information mentioned above. See http://collector.zope.org/Zope/359 for more details. Ironically the quoted request was an example how to use XML-RPC. Note that starting Zope without -D option won't stop the exposure. telnet localhost 8080 POST /Documentation/comp_tut HTTP/1.0 Host: localhost Content-Type: text/xml Content-length: 93 <?xml version=3D"1.0"?> <methodCall> <methodName>objectIds</methodName> <params/> </methodCall> 3. Vulnerable versions: Zope 2.3.2 - Yes (earlier versions ware not tested) Zope 2.4.1 (Stable) - Yes Zope 2.5.0 (Stable) - Yes Zope 2.5.1 (Stable) - Yes Zope 2.5.1b2 (Development) - Not Zope 2.6.0b1 (Development) - Not 4. Solution: Upgrade to 2.6.0b1 (Development) if possible. 5. Vendor information Notification was send to the vendor on March 22, 2002 The issue was officially resolved on Aug 29, 2002 but only in v2.6.0. Regards, Rossen Raykov --- Rossen Raykov COGNICASE U.S.A. Inc. (908) 860-1100 Ext. 1140 Rossen.Raykov@CognicaseUSA.com
