Re: [Zope] Re: REMOTE_USER Security Issue

Mon, 15 May 2006 11:44:27 -0700

Hmmm, it was request.environ['REMOTE_USER'] that I found a way to hack. However, your comment has caused me to realise that when not logged in, Apache is not setting the REMOTE_USER environment variable, so a script can set it (in environ). So if I get the Apache boss to set REMOTE_USER to None that should fix it? Subtle. 

Thanks for making me think.

Cliff

Tres Seaver wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cliff Ford wrote:


My people want to adopt a single sign-on system for web applications
that is based on the REMOTE_USER environment variable. I have tried out
RemoteUserFolder and also adapted exUserFolder to work similarly.

My problem is that I figured out how a user who has permission to create
python scripts (might work with dtml and page templates too) could
access otherwise forbidden content by making calls that pretend to come
from another user. Has any one else come across this problem and devised
a solution, either in software or organisation?

Problem verified with Zope 2.9.2 and latest RemoteUserFolder




User folders who care need to look at the request's 'environ' dict, e.g.::

  remote_user = request.environ['REMOTE_USER']  # not hackable

rather than the default one where untrusted code can scribble::

  remote_user = request['REMOTE_USER']  # hackable


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEaMVi+gerLs4ltQ4RAqUIAJsHpcPQTX7jv+db+DRG9TApaIImVQCgqCZn
lPXu2KJoCLtTOSTyUJTIJ24=
=3r0r
-----END PGP SIGNATURE-----

_______________________________________________
Zope maillist  -  [email protected]
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce 
 http://mail.zope.org/mailman/listinfo/zope-dev )

_______________________________________________
Zope maillist  -  [email protected]
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce 
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to