I took the comment off the publicly viewable site... not to hide the security hole, but to keep from giving the zope.org site a bad name... let's report holes to Digital Creations, not exploit them and make the site look bad... I'm sure you meant well... Tad Murphy "cybertad" http://www.zope.org/Members/cybertad/ ----- Original Message ----- From: Andy Dustman <adustman@comstar.net> To: <zope@zope.org> Sent: Thursday, September 16, 1999 4:47 PM Subject: [Zope] BIG security hole in www.zope.org | I found this somewhat by accident. I set up a membership and after awhile, | wanted to change my index_html. Unfortunately, I didn't get a copy, so it | is inheriting the one from above. So, I tried this: | | http://www.zope.org/Members/adustman/index_html/manage | | Not only does this work, it lets me make the change. Which is why it | presently says, "Hey, man, if you can read this, something is seriously | hosed." On the members list, and every member page with the default | index_html. Probably the security is set wrong up above (I hope). | | -- | andy dustman | programmer/analyst | comstar.net, inc. | telephone: 770.485.6025 / 706.549.7689 | icq: 32922760 | pgp: 0xc72f3f1d | | | _______________________________________________ | Zope maillist - Zope@zope.org | http://www.zope.org/mailman/listinfo/zope | | (To receive general Zope announcements, see: | http://www.zope.org/mailman/listinfo/zope-announce | | For developer-specific issues, zope-dev@zope.org - | http://www.zope.org/mailman/listinfo/zope-dev ) |