Barry, If you believe that this is a real problem, can you provide a step-by-step exploit via the Collector (http://classic.zope.org:8080/Collector)? There's a way to mark a Collector issue as "security-related", which means no one but DC folks can see the issue until we've found that it's not a problem or that we've got a fix. Many thanks, - C barry haycock wrote:
Can anyone help me with this security issue regarding ZOPE
If you go to www.yoursite.com/manage_workspace
you can access the manage screens of zope
THIS IS NOT GOOD
how can you overcome this
I am using solaris v8 with apache as the web server talking to another solaris box with zope 2-3-0
I have just found a way to edit the source code so that it emails me with the user name and password whenever the next person logs in. I can also edit any source code within the site.
REQUIRE QUICK RESPONSE
---------------------------------------------------------------------- Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )