-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24 Mar 2007, at 09:03, Flemming Bjerke wrote:
That I think it is a vulnerability that a person can irrepairably corrupt zope's date system by sending one request with a wrong date (in my case using the default open comment opportunity in zwiki).

There is no "vulnerability". I think you're confusing a few things. All I read from your description is that you, as the admin, used Undo and even mucked with your database while having set the server to a different time. That's no vulnerability, that's the admin user messing with the database.

Requests don't have anything to do with either the ZODB time stamp or any application time stamp. You should take a look at the code and gain some better understanding of how the Wiki code generates or uses dates. Date stamps are generated by taking the time as set on the host machine. They are not generated from requests sent to the server.

jens



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGBOm+RAx5nvEhZLIRAtOSAKCVrIpcYvZ/Nh0COEYn3scAbkmWlwCgropL
mVFgB/Qyn+mUNZLqzUqhbWE=
=Obim
-----END PGP SIGNATURE-----
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to