[Zope] SECURITY: Zope security alert and hotfix product...
Brian Lloyd
Brian@digicool.com
Thu, 10 Aug 2000 14:15:29 -0400
Hi all -
We have recently become aware of an important security issue
that affects all released Zope versions prior to 2.2.1 beta 1.
The issue involves the fact that the getRoles method of user objects
contained in the default UserFolder implementation returns a mutable
Python type. Because the mutable object is still associated with the
persistent User object, users with the ability to edit DTML could
arrange to give themselves extra roles for the duration of a single
request by mutating the roles list as a part of the request
processing.
While we know of no instances of this issue being used to exploit a
site, we *highly* recommend that any Zope site running versions of
Zope prior to 2.2.1 have this hotfix product installed to mitigate
the issue if the site is accessible by untrusted users who have DTML
editing privileges.
A hotfix for this issue in the form of an add-on Zope product has been
made available on zope.org. To install the hotfix, simply download and
install the package as you would any other Zope add-on product
(extract
it in the root of your Zope installation). Remember to restart your
Zope
installation for the hotfix to take effect.
http://www.zope.org/Products/Zope/Hotfix_08_09_2000/Hotfix_08_09_2000.tg
z
The hotfix will work for all versions of Zope 2.0 and higher. The
forthcoming Zope 2.2.1 beta 1 release will contain the fix for this
issue, and you be able to uninstall the hot fix after upgrading
to 2.2.1 beta 1 or higher (though nothing bad will happen if you
don't uninstall it).
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com