[Zope] Usage of AUTHENTICATED_USER

Michel Pelletier michel@digicool.com
Wed, 2 Feb 2000 10:40:57 -0500


> -----Original Message-----
> From: Shane Hathaway [mailto:zope@pi.slcc.edu]
> Sent: Tuesday, February 01, 2000 7:49 PM
> To: zope@zope.org
> Subject: [Zope] Usage of AUTHENTICATED_USER
> 
> 
> Zopistas,
> 
> This is unlikely to be a major issue so I'll just say what's 
> involved in
> exploiting the hole.  The manage_addFolder method, used to 
> create a new
> folder, takes the current REQUEST as an argument.  All one 
> needs to do is
> call manage_addFolder without a REQUEST argument, and the 
> extra security
> checks are disabled.  Thus anyone who can create folders can 
> also create
> default user folders.

Can you report this bug to the collector?
 
> The issue is that there is no apparent way for a method such as
> manage_addFolder to get the current User object to perform a proper
> security check.  Getting it using REQUEST['AUTHENTICATED_USER'] isn't
> reliable.  In fact, it is possible to call
> <dtml-call "REQUEST.set('AUTHENTICATED_USER', bogusSuperUser)">
> which works but fortunately doesn't have much effect at present.
> (bogusSuperUser would be a folder with DTML methods has_permission,
> has_role, validate, etc. and would masquerade as a SuperUser object.)

Hmmm... this might be considered a problem, can you submit this to the
collector also?

-Michel