SECURITY alert and hotfix release
Hi all, Aleksander Salwa has brought a security issue to our attention that affects all Zope versions up to and including Zope 2.2.4. We have released a Hotfix product to address the issue that can be downloaded from zope.org. (Thanks to Aleksander for finding this and to Shane Hathaway for his quick response in resolving it!) The issue involves security registration of "legacy" names for certain object constructors such as the constructors for DTML Method objects. Security was not being applied correctly for the legacy names, making it possible to call those constructors without the permissions that should have been required. This issue could allow anonymous users with enough internal knowledge of Zope to instantiate new DTML Method instances through the Web. The hotfix for this issue is available on the zope.org web site: o http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz We *highly* recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue. The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
On Fri, Dec 08, 2000 at 03:48:52PM -0500, Brian Lloyd wrote:
The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.
A slight modification to the patch makes it work (meaning, "run without raising an exception") on Zope 2.1.6; patch below. Can someone at DC confirm that this patched version fixes the problem for 2.1.x and doesn't break anything else? (If you want to privately send me an exploit, that would be quite helpful.) --amk --- __init__.py Fri Dec 8 15:25:48 2000 +++ /home/akuchlin/__init__.py Fri Dec 8 17:09:05 2000 @@ -107,13 +107,14 @@ # and make sure the roles are set correctly. import OFS +from OFS import DTMLMethod, DTMLDocument from AccessControl.PermissionRole import PermissionRole OM = OFS.ObjectManager.ObjectManager legacy = ( - ('manage_addDocument', OFS.DTMLMethod.addDTMLMethod), - ('manage_addDTMLMethod', OFS.DTMLMethod.addDTMLMethod), - ('manage_addDTMLDocument', OFS.DTMLDocument.addDTMLDocument), + ('manage_addDocument', DTMLMethod.addDTMLMethod), + ('manage_addDTMLMethod', DTMLMethod.addDTMLMethod), + ('manage_addDTMLDocument', DTMLDocument.addDTMLDocument), ) permission = 'Add Documents, Images, and Files'
Andrew Kuchling wrote:
On Fri, Dec 08, 2000 at 03:48:52PM -0500, Brian Lloyd wrote:
The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.
A slight modification to the patch makes it work (meaning, "run without raising an exception") on Zope 2.1.6; patch below. Can someone at DC confirm that this patched version fixes the problem for 2.1.x and doesn't break anything else? (If you want to privately send me an exploit, that would be quite helpful.)
AFAICT 2.1.6 is not vulnerable. Shane
participants (3)
-
Andrew Kuchling -
Brian Lloyd -
Shane Hathaway