Joshua Penix wrote:
On Sep 1, 2006, at 12:47 PM, James G. Sack (jim) wrote:
For what it's worth, I did manage to capture the full list of users
and emails at that time and there was no 'serj' as of July 25.
This might be a useful list, because as of this moment I'm using an
internal Zope search function to root out all documents with the word
'javascript' in them.
The exploit is this:
http://performancing.com/node/4066
We have over 450 users registered now. The current problem is that I
have to manually find them, then hand-delete their user account and then
subsequently hand delete their Member folder. Just deleting the user is
not enough because their files stay behind and those links remain valid.
The simplest thing to script at this point would be a function to
reconcile the list of Member folders against the list of valid users.
If we could pare down the registered user list back to what it used to
be, then a quick script would rip out all the deleted users' content.
I'm trying to cobble something together but my PloneFu is rusty. Tracy
said he may take a whack at it tonight.
I'm short on time to deal with this but am trying to get rid of the bulk
right now... not sure how successful I'll be, but I'll put the site back
up in a little bit when I'm done (or give up).
I see on the thread at the link above that Plone 2.1 or 2.5 is
supposedly not susceptible to this exploit (per comment by Alexander
Limi, co-founder of Plone).
I also remember reading that plone 2.5 contained many performance
improvements (and performance _is_ a bit of an issue with our site).
I don't mean to be begging for an upgrade, but if there's a lot of
effort involved anyway, it might be worth considering. 'Course, maybe
2.5 would also require a zope upgrade, too?
Holler, if I can help any with the grunt work.
..jim
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-steer
