Potential security issues should not be discussed on public mailing lists but submitted to security-respo...@zope.org. Please submit the full information to that address and do not follow up further on this list.
Laurence On 24 October 2011 15:05, Niels Dettenbach <n...@syndicat.com> wrote: > Dear Zope 2.12/.13 (4.0) devels, > > > as far as i can see i may have found a serious security hole within Zope 2.12 > / 2.13 (4.0 not tested yet) - I'm still investigate here further... > > > problem: > ====== > Even on fresh Installs of Zope and fresh created instances on it anonymous / > remote users able to access acl_users/manage_users by the web WITHOUT > AUTHENTICATION. They can edit / delete / create users and serving roles as > they want. Other management screens (as manage_main or manage_access aso. are > protected as usual). > > In manage_access Manage user is only allowed for Manager (as by default). > > I don't believe that is any new behaviour of newer Zope versions... > > I've tested this with (last public) 2.13.10 and last 2.12.20 with python2.6. > > If any of the devels want to have a test url pls contact me directly. > > Fresh installed zope instances was configured with defaults configs, except > setting "user zope" (and/or port-base). Tried it with now owner or the admin > user as owner of the acl_users too. > > Can anyone prove this here too? If so, any solution / security fix? > > > many thanks, > best regards. > > > Niels. > > -- > --- > Niels Dettenbach > Syndicat IT&Internet > http://www.syndicat.com/ > _______________________________________________ > Zope maillist - Zope@zope.org > https://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope-dev ) > > _______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
