Re: [Zope-dev] vulnerability in stock Zope
Production sites running a stock Zope are vulnerable to abuse of their server if they have not removed the 'Examples' folder. For example, anyone could use http://notcarefulenough.com/Examples/FileLibrary as a warez repository. >>> Are you sure? I get an "Unauthorized" error (but not until I >>> actually try to upload). >>> >>> Shane >> >> I'm sure, I've tried it on a few sites. > > Wait a minute, now I see it. The "addFile" script has the "Manager" > proxy role! (And apparently my Zope is disregarding the proxy roles.) > That's wrong. I suggest we remove the proxy roles, replacing the proxy > role explanation with the text "you can set proxy roles if you want > anonymous users to be able to use this script". Don't forget the Message Board application too. Are you fixing this or shall I? seb ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] vulnerability in stock Zope
seb bacon wrote: > > > Shane Hathaway wrote: > >> seb bacon wrote: >> >>> Production sites running a stock Zope are vulnerable to abuse of >>> their server if they have not removed the 'Examples' folder. For >>> example, anyone could use >>> http://notcarefulenough.com/Examples/FileLibrary as a warez repository. >> >> >> >> Are you sure? I get an "Unauthorized" error (but not until I actually >> try to upload). >> >> Shane > > > I'm sure, I've tried it on a few sites. Wait a minute, now I see it. The "addFile" script has the "Manager" proxy role! (And apparently my Zope is disregarding the proxy roles.) That's wrong. I suggest we remove the proxy roles, replacing the proxy role explanation with the text "you can set proxy roles if you want anonymous users to be able to use this script". Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] vulnerability in stock Zope
seb bacon wrote: > > > Shane Hathaway wrote: > >> seb bacon wrote: >> >>> Production sites running a stock Zope are vulnerable to abuse of >>> their server if they have not removed the 'Examples' folder. For >>> example, anyone could use >>> http://notcarefulenough.com/Examples/FileLibrary as a warez repository. >> >> >> >> Are you sure? I get an "Unauthorized" error (but not until I actually >> try to upload). >> >> Shane > > > I'm sure, I've tried it on a few sites. Hmm, it would appear that the "Add Documents, Images, and Files" permission is enabled for anonymous. It shouldn't be, obviously. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] vulnerability in stock Zope
Shane Hathaway wrote: > seb bacon wrote: > >> Production sites running a stock Zope are vulnerable to abuse of their >> server if they have not removed the 'Examples' folder. For example, >> anyone could use http://notcarefulenough.com/Examples/FileLibrary as a >> warez repository. > > > Are you sure? I get an "Unauthorized" error (but not until I actually > try to upload). > > Shane I'm sure, I've tried it on a few sites. Try this ;-) http://new.zope.org/Examples/FileLibrary seb ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] vulnerability in stock Zope
seb bacon wrote: > Production sites running a stock Zope are vulnerable to abuse of their > server if they have not removed the 'Examples' folder. For example, > anyone could use http://notcarefulenough.com/Examples/FileLibrary as a > warez repository. Are you sure? I get an "Unauthorized" error (but not until I actually try to upload). Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
