Bill Seitz wrote:
By jove, you've got it!
I wish I could say I'm surprised. As long as the ZMI uses DTML it will be vulnerable to a host of stupid attacks like this one, wherever a user is allowed to create objects in the zodb with an id of their choosing. The ZMI really needs to be completely redone using page templates but its a) a lot of work, and b) very tricky in parts thanks to import dependancies. -- Jamie Heilman http://audible.transient.net/~jamie/ "We must be born with an intuition of mortality. Before we know the words for it, before we know there are words, out we come bloodied and squalling with the knowledge that for all the compasses in the world, there's only one direction, and time is its only measure." -Rosencrantz