[Zope-dev] vulnerability in stock Zope
Shane Hathaway
shane@zope.com
Thu, 11 Jul 2002 10:42:52 -0400
seb bacon wrote:
>
>
> Shane Hathaway wrote:
>
>> seb bacon wrote:
>>
>>> Production sites running a stock Zope are vulnerable to abuse of
>>> their server if they have not removed the 'Examples' folder. For
>>> example, anyone could use
>>> http://notcarefulenough.com/Examples/FileLibrary as a warez repository.
>>
>>
>>
>> Are you sure? I get an "Unauthorized" error (but not until I actually
>> try to upload).
>>
>> Shane
>
>
> I'm sure, I've tried it on a few sites.
Hmm, it would appear that the "Add Documents, Images, and Files"
permission is enabled for anonymous. It shouldn't be, obviously.
Shane