Few days ago I found that on site that I'm currently working on,
everybody can add DTMLMethods and Documents (and maybe do more, I haven't
checked yet, but I think it's bad enough !) by simply entering URL

After that Zope sends 'Location' header to redirect user to 'manage_main'.
That (manage_main) causes 'Unauthorized' exception.
But that object 'q1' was added !!!

I was thinking that it's a bug in Product. (I use LoginManager, LocalFS,
SiteAccess). I decided to upgrade my Zope from 2.2.1 to 2.2.4 and upgrade
all Products (one good thing so far ;)). No success.
So I did fresh install of Zope 2.2.4, without additional Products, with
with brand new Data.fs. Problem persists !
I have default security settings, so Anonymous can't "Add Documents,
Images, and Files".

Of course user can put any DTML in this object - you know the
consequences... (and if the folder where this object is located is owned
by high-privileged user, then this object is owned by that user too
(through acquisition)).
I just checked: I can't add Folders this way.

What's going on ?!? Have I found very big security hole, or just
I'm going crazy ? :(

Just take a look at object with id "haveIFoundABug" in root level
of www.zope.org that I created few seconds ago...


| `long long long' is too long for GCC |

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to