25 May
2001
25 May
'01
6:16 p.m.
On Fri, May 25, 2001 at 11:39:54AM -0600, Bill Anderson wrote:
So, you give a user you presumably trust, ssh/ssl access to use ZShell. They comment this code out, or the code that even botehrs to check for permssion to do anything, and now they now '0WNZ Y0ur z0p3 sist3m'.
Except that in this particular case the user would also have to have got filesystem write access to the Extensions directory and a Manager role in /Control_Panel in order for him to be able to comment out the code and restart Zope, because ZShell is currently an external method. Anyway I tend to agree with you, it shouldn't be possible to bypass the security mechanism. bye, Jerome Alet