[Zope-dev] Take the cgi-vulnerability patch serious!

Brian Lloyd brian@digicool.com
Thu, 26 Jul 2001 13:12:17 -0400


> Normally I do not comment on security patches for Zope because 
> they fix very
> minor issues. The recent patch announced on
> http://www.zope.org/Products/Zope/Hotfix_2001-07-25/security_alert is
> different. We tested the exploit script provided at sourceforge, and it
> immediately pushed any of our servers we tested it on to > 90% 
> system load.
> With two or three calls of the script, any Zope server (including 
> all other
> services running on the server) can be brought to a halt.

Note that people running other Python-based Web systems that use
cgi.py should also be paying attention to this. I don't know if 
WebWare or other larger web systems use cgi.py for form parsing, 
but I'm sure most plain Python cgi scripts do.


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909
Digital Creations  www.digicool.com