[Dylan Reinhardt wrote (zope@dylanreinhardt.com) on 3/26/03 2:33 PM]
On Thu, 2003-03-27 at 01:39, jamesd@mena.org.au wrote:
If I log in to plone2 as the user Demo, then go to the following url: http://my.server/plone2/plone1 The permissions are acquired from the demo site giving full Manager access to my main plone site. This is obviously a serious problem.
Yep. This is a huge vulnerability in certain configurations.
But the *real* problem is not that plone1 methods can be applied to plone2 objects. That is a feature, not a bug. :-)
(butting into this thread late) right, this is aquisition. if you have index_html in the same folder as standard_html_footer and do <dtml-var standard_html_footer> in your index_html, it pulls that one and not one above. Same idea with folders, right?
Rather, the problem is that you have implicitly *permitted* this to take place by using common roles across sites. I suspect that you're hardly alone in setting up your site this way. In fact, I was auditing one of my own sites and stumbled across a variant of this technique that allowed arbitrary access to virtually any object on the server. Yikes!
I'm not so sure its because of this...
I'm working on a howto for this concern... but in the interim, I'd strongly recommend taking three steps to secure *any* multi-user, multi-host Zope app:
1. Reserve the Manager role for server administration only. Just as importantly, don't *ever* assign a Manager proxy role unless you are certain you've worked out all the implications of that method being applied to arbitrary objects.
2. Use different roles for different groups of users. Create site-specific, function-specific roles like site1_admin, site2_admin, site1_user, etc. Use server-wide roles sparingly and define them narrowly (send_mail, add_user, etc).
I tested this out and found it did not work. I had two folders (folder1, folder2) side by side in the same container (folder). I gave a user in folder1 the role X_admin, which role had all the same perms as manager. this is the only role this user had. this user was still able to call folder1/folder2 and do what he liked in folder2.
3. Disable/restrict "view folder contents" permissions for all folders that are parents of your site root folders. Leaving that permission turned on for Anonymous (the default) allows virtually anyone to obtain details about your server setup that are quite handy for setting up cross-site scripting exploits. It's shockingly easy to do this and there are few (if any) reasons why you'd want that feature enabled for parents of your site roots anyway.
I don't see this permission anywhere... Do you mean "Access contents information" ? I would add that turning off WebDAV access for anonymous users is a good idea. <--> george donnelly - http://www.zettai.net/ - "We Love Newbies" :) Zope Hosting - Dynamic Website Design - Search Engine Promotion Yahoo, AIM: zettainet - MSN: zettainet@hotmail.com - ICQ: 51907738