Re: [Zope] Re: REMOTE_USER Security Issue

2006-05-16 Thread Martijn Pieters
On 5/16/06, Cliff Ford <[EMAIL PROTECTED]> wrote: So I still wonder if anyone who is ising the REMOTE_USER environment variable is aware of a problem and has a solution. Environment-related variables should not be "hackable" from restricted code. Please file a report in de Zope Collector: htt

Re: [Zope] Re: REMOTE_USER Security Issue

2006-05-16 Thread Cliff Ford
I have done some more testing, and despite being told that request.environ['REMOTE_USER'] is not hackable I have hacked it and can use the hack to get at otherwise forbidden content. For testing I have set REMOTE_USER in the zope.conf cgi-environment variable, so I can quickly change from being

Re: [Zope] Re: REMOTE_USER Security Issue

2006-05-15 Thread Cliff Ford
Hmmm, it was request.environ['REMOTE_USER'] that I found a way to hack. However, your comment has caused me to realise that when not logged in, Apache is not setting the REMOTE_USER environment variable, so a script can set it (in environ). So if I get the Apache boss to set REMOTE_USER to None