seb bacon wrote:
Shane Hathaway wrote:
seb bacon wrote:
Production sites running a stock Zope are vulnerable to abuse of their server if they have not removed the 'Examples' folder. For example, anyone could use http://notcarefulenough.com/Examples/FileLibrary as a warez repository.
Are you sure? I get an "Unauthorized" error (but not until I actually try to upload).
Shane
I'm sure, I've tried it on a few sites.
Wait a minute, now I see it. The "addFile" script has the "Manager" proxy role! (And apparently my Zope is disregarding the proxy roles.) That's wrong. I suggest we remove the proxy roles, replacing the proxy role explanation with the text "you can set proxy roles if you want anonymous users to be able to use this script". Shane