[Zope] BIG security hole in www.zope.org

Andy Dustman adustman@comstar.net
Thu, 16 Sep 1999 17:47:53 -0400 (EDT)


I found this somewhat by accident. I set up a membership and after awhile,
wanted to change my index_html. Unfortunately, I didn't get a copy, so it
is inheriting the one from above. So, I tried this:

http://www.zope.org/Members/adustman/index_html/manage

Not only does this work, it lets me make the change. Which is why it
presently says, "Hey, man, if you can read this, something is seriously
hosed." On the members list, and every member page with the default
index_html. Probably the security is set wrong up above (I hope).

-- 
andy dustman       |     programmer/analyst     |      comstar.net, inc.
telephone: 770.485.6025 / 706.549.7689 | icq: 32922760 | pgp: 0xc72f3f1d