seb bacon wrote:
> 
> 
> Shane Hathaway wrote:
> 
>> seb bacon wrote:
>>
>>> Production sites running a stock Zope are vulnerable to abuse of 
>>> their server if they have not removed the 'Examples' folder.  For 
>>> example, anyone could use 
>>> http://notcarefulenough.com/Examples/FileLibrary as a warez repository.
>>
>>
>>
>> Are you sure?  I get an "Unauthorized" error (but not until I actually 
>> try to upload).
>>
>> Shane
> 
> 
> I'm sure, I've tried it on a few sites.

Wait a minute, now I see it.  The "addFile" script has the "Manager" 
proxy role!  (And apparently my Zope is disregarding the proxy roles.) 
That's wrong.  I suggest we remove the proxy roles, replacing the proxy 
role explanation with the text "you can set proxy roles if you want 
anonymous users to be able to use this script".

Shane



_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to