[Zope-dev] vulnerability in stock Zope
seb bacon
seb@jamkit.com
Thu, 11 Jul 2002 16:39:07 +0100
>>>> Production sites running a stock Zope are vulnerable to abuse of
>>>> their server if they have not removed the 'Examples' folder. For
>>>> example, anyone could use
>>>> http://notcarefulenough.com/Examples/FileLibrary as a warez repository.
>>> Are you sure? I get an "Unauthorized" error (but not until I
>>> actually try to upload).
>>>
>>> Shane
>>
>> I'm sure, I've tried it on a few sites.
>
> Wait a minute, now I see it. The "addFile" script has the "Manager"
> proxy role! (And apparently my Zope is disregarding the proxy roles.)
> That's wrong. I suggest we remove the proxy roles, replacing the proxy
> role explanation with the text "you can set proxy roles if you want
> anonymous users to be able to use this script".
Don't forget the Message Board application too. Are you fixing this or
shall I?
seb