I get: HTTP/1.0 404 Object Not Found p.s. try not to send html to the list --- barry haycock <bhaycock@hotmail.com> wrote: <HR> <html><DIV>Can anyone help me with this security issue regarding ZOPE</DIV> <DIV> </DIV> <DIV>If you go to <A href="http://www.yoursite.com/manage_workspace">www.yoursite.com/manage_workspace</A></DIV> <DIV> </DIV> <DIV>you can access the manage screens of zope</DIV> <DIV> </DIV> <DIV>THIS IS NOT GOOD</DIV> <DIV> </DIV> <DIV>how can you overcome this</DIV> <DIV> </DIV> <DIV>I am using solaris v8 with apache as the web server talking to another solaris box with zope 2-3-0</DIV> <DIV> </DIV> <DIV>I have just found a way to edit the source code so that it emails me with the user name and password whenever the next person logs in. I can also edit any source code within the site.</DIV> <DIV> </DIV> <DIV>REQUIRE QUICK RESPONSE</DIV><br clear=all><hr>Get Your Private, Free E-mail from MSN Hotmail at <a href="http://www.hotmail.com">http://www.hotmail.com</a>.<br></p></html> _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) __________________________________________________ Do You Yahoo!? Spot the hottest trends in music, movies, and more. http://buzz.yahoo.com/
Can anyone help me with this security issue regarding ZOPE If you go to www.yoursite.com/manage_workspace you can access the manage screens of zope
Read the chapter about security in the zope book ;-) In short : your anonymous user has the permission to see management screen / manage...
REQUIRE QUICK RESPONSE
Require more reading of the docs imho ;-) Or did I miss something? Philippe
If you go to www.yoursite.com/manage_workspace
you can access the manage screens of zope
THIS IS NOT GOOD
how can you overcome this
I am using solaris v8 with apache as the web server talking to another solaris box with zope 2-3-0
I have just found a way to edit the source code so that it emails me with the user name and password whenever the next person logs in. I can also edit any source code within the site.
REQUIRE QUICK RESPONSE
You aren't paid by Microsoft or so? ;-) No, seriously, there is no known security bug as you describe it. If your authenticated user or anonymous user has been granted management rights, he will see the management screens. If not, he won't. Joachim.
Barry, If you believe that this is a real problem, can you provide a step-by-step exploit via the Collector (http://classic.zope.org:8080/Collector)? There's a way to mark a Collector issue as "security-related", which means no one but DC folks can see the issue until we've found that it's not a problem or that we've got a fix. Many thanks, - C barry haycock wrote:
Can anyone help me with this security issue regarding ZOPE
If you go to www.yoursite.com/manage_workspace
you can access the manage screens of zope
THIS IS NOT GOOD
how can you overcome this
I am using solaris v8 with apache as the web server talking to another solaris box with zope 2-3-0
I have just found a way to edit the source code so that it emails me with the user name and password whenever the next person logs in. I can also edit any source code within the site.
REQUIRE QUICK RESPONSE
---------------------------------------------------------------------- Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
On a standard Zope installation, manage_workspace takes you to the welcome screen and you have to log on with a password to get to the management interface. (I just tried it on mine to confirm this). You must have given anonymous users permission without realizing that you were doing so. You will need to find out where that happened and change it. Tom P [barry haycock]
Can anyone help me with this security issue regarding ZOPE
If you go to www.yoursite.com/manage_workspace
you can access the manage screens of zope
Using reportlab, and an external python program I was having a real problem getting MSIE 5.5 to display a PDF file. All other browsers I tried worked fine, eg Opera, Netscape and an earlier version of Msie. For what its worth, here is the work-around I found: . Open Acrobat 4.x . Click (f)ile/(P)references/(G)eneral and uncheck "Web Browser Integration". Note: Now, when a user runs a PDF report the user will get the I.E. File open/save dialog box , but at least the PDF renders now. Cheers, David
participants (7)
-
barry haycock -
Chris McDonough -
David Hassalevris -
Jason Byron -
Joachim Werner -
Philippe Jadin -
Thomas B. Passin