-----Original Message----- From: Shane Hathaway [mailto:zope@pi.slcc.edu] Sent: Tuesday, February 01, 2000 7:49 PM To: zope@zope.org Subject: [Zope] Usage of AUTHENTICATED_USER
Zopistas,
This is unlikely to be a major issue so I'll just say what's involved in exploiting the hole. The manage_addFolder method, used to create a new folder, takes the current REQUEST as an argument. All one needs to do is call manage_addFolder without a REQUEST argument, and the extra security checks are disabled. Thus anyone who can create folders can also create default user folders.
Can you report this bug to the collector?
The issue is that there is no apparent way for a method such as manage_addFolder to get the current User object to perform a proper security check. Getting it using REQUEST['AUTHENTICATED_USER'] isn't reliable. In fact, it is possible to call <dtml-call "REQUEST.set('AUTHENTICATED_USER', bogusSuperUser)"> which works but fortunately doesn't have much effect at present. (bogusSuperUser would be a folder with DTML methods has_permission, has_role, validate, etc. and would masquerade as a SuperUser object.)
Hmmm... this might be considered a problem, can you submit this to the collector also? -Michel