Dear Zope 2.12/.13 (4.0) devels,

as far as i can see i may have found a serious security hole within Zope 2.12 
/ 2.13 (4.0 not tested yet) - I'm still investigate here further...


problem:
======
Even on fresh Installs of Zope and fresh created instances on it anonymous / 
remote users able to access acl_users/manage_users by the web WITHOUT 
AUTHENTICATION. They can edit / delete / create users and serving roles as 
they want. Other management screens (as manage_main or manage_access aso. are 
protected as usual).

In manage_access Manage user is only allowed for Manager (as by default).

I don't believe that is any new behaviour of newer Zope versions...

I've tested this with (last public) 2.13.10 and last 2.12.20 with python2.6.

If any of the devels want to have a test url pls contact me directly.

Fresh installed zope instances was configured with defaults configs, except 
setting "user zope" (and/or port-base). Tried it with now owner or the admin 
user as owner of the acl_users too.

Can anyone prove this here too? If so, any solution / security fix?


many thanks,
best regards.


Niels.

-- 
---
Niels Dettenbach
Syndicat IT&Internet
http://www.syndicat.com/

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to