LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

zope 2.7: design error

Package(s):zope CVE #(s):CVE-2005-3323
Created:November 25, 2005 Updated:December 13, 2005
Description: A vulnerability has been discovered in zope 2.7 that allows remote attackers to insert arbitrary files via include directives in reStructuredText functionality.
Alerts:
Ubuntu USN-229-1 2005-12-13
Debian DSA-910-1 2005-11-24
(Log in to post comments)

zope 2.7: design error

Posted Dec 15, 2005 2:44 UTC (Thu) by tseaver (subscriber, #1544) [Link]

As I noted to Martin Pitt in response to the Ubuntu advisory, the bug (bad as it is as a remote information disclosure hole) does not permit an attacker to "execute arbitrary Zope code."

The Debian advisory correctly identifies the risk; others I have seen (Gentoo, BugTraq) make the same error.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds