Vulnerabilities > CVE-2001-0568 - Local Security vulnerability in Zope

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
local
low complexity
zope
nessus

Summary

Digital Creations Zope 2.3.1 b1 and earlier allows a local attacker (Zope user) with through-the-web scripting capabilities to alter ZClasses class attributes.

Vulnerable Configurations

Part Description Count
Application
Zope
1

Nessus

  • NASL familyWeb Servers
    NASL idZOPE_DOS.NASL
    descriptionThe remote web server is Zope < 2.2.5. Such versions allow any Zope user to create a denial of service by modifying Zope data structures, thus rendering the site unusable. *** Since Nessus solely relied on the version number of the server, *** consider this a false positive if the hotfix has already been applied.
    last seen2020-06-01
    modified2020-06-02
    plugin id10702
    published2001-08-04
    reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/10702
    titleZope ZClass Modification Local DoS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(10702);
     script_version ("1.26");
    
     script_cve_id("CVE-2001-0568");
     script_bugtraq_id(2458);
     
     script_name(english:"Zope ZClass Modification Local DoS");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains an application server that is prone to
    a denial of service issue." );
     script_set_attribute(attribute:"description", value:
    "The remote web server is Zope < 2.2.5.  Such versions allow any Zope
    user to create a denial of service by modifying Zope data structures,
    thus rendering the site unusable. 
    
    *** Since Nessus solely relied on the version number of the server, 
    *** consider this a false positive if the hotfix has already been applied." );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Zope 2.2.5 or later." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2001/08/04");
     script_set_attribute(attribute:"vuln_publication_date", value: "2001/02/15");
     script_cvs_date("Date: 2018/08/07 16:46:51");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
     
     script_summary(english:"Checks for Zope");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.");
     script_family(english:"Web Servers");
     script_dependencie("find_service1.nasl", "http_version.nasl");
     script_require_ports("Services/www", 80);
     script_require_keys("www/zope");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:80);
    
    banner = get_http_banner(port:port);
    
    if(banner)
    {
      if(egrep(pattern:"Server: .*Zope 2\.((0\..*)|(1\..*)|(2\.[0-4]))", 
      		string:banner))
         security_warning(port);
    }
    
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2001-049.NASL
    descriptionAnother problem was discovered in Zope that fixes a problem with ZClasses. Any user can visit a ZClass declaration and change the ZClass permission mappings for methods and other objects defined within the ZClass, possibly allowing for unauthorized access within the Zope instance. The Zope Hotfix 2001-05-01 corrects this problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id61913
    published2012-09-06
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/61913
    titleMandrake Linux Security Advisory : Zope (MDKSA-2001:049)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-043.NASL
    descriptionThis advisory covers several vulnerabilities in Zope that have been addressed.Hotfix 08_09_2000
    last seen2020-06-01
    modified2020-06-02
    plugin id14880
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14880
    titleDebian DSA-043-1 : zope

Redhat

advisories
rhsa
idRHSA-2001:021