[Zope-dev] Server Side Trojan Issue really dead?

Chris Withers chrisw@nipltd.com
Mon, 07 Aug 2000 09:54:25 +0100


Hi,

This comes from a chat on #zope and some worries I've had since the
server side issue was raised.

Unless I'm mistaken, the new security model doesn't solve the issue
because ownership isn't changed by editing.

Lets take the example of a ZWiki page which executes any DTML in its
contents when it is rendered.
Jim in a Manager
Paul is a Manager
DrEvil has the ability to edit ZWiki Pages, but not call the DEE (Delete
Everything, Everywhere ;-) Method

So, Jim comes along an creates a ZWiki Page describing the new security
model.

DrEvil comes along, edits the page and plants a <dtml-call
"DEE(backup='no')"> in the page.
He can't view this page since, as I understand it, code is executed with
the lower of the owner and the viewer's permissions.

Paul comes along to read the new ZWiki page, and IIUC, inadvertently
executes DEE and deletes everything, everywhere, because he is a
manager, and Jim (still the owner) is a manager and so DEE executes.

Have I missed something?

cheers,

Chris