[Zope] IIS and Zope share same problem :-S

Curtis Maloney curtis@cardgate.net
Mon, 23 Oct 2000 09:30:17 +1100


On Fri, 20 Oct 2000, Chris Withers wrote:
> Andrew Kenneth Milton wrote:
> > | http://www.zope.org/standard_html_header for example ;-)
> >
> > Not that old chestnut again...
>
> Yes, that old chestnut again. If it's considered a serious security flaw
> by Microsoft, maybe the Zope community should finally do something to
> solve it.
>
> ...and yes, there are discussions about this on Zope-dev right now,
> wwhich will hopefully produce a solution :-)
>

Now, I may be missing the point of the fine grained access control of ZOPE, 
but knowing an objects ID is not at all the same as being able to access it, 
or even invoke it correctly.

The MS bug "allows access to any file on the webserver".  Whilst in ZOPE you 
may be able to enter the URL and invoke the object to some degree, unless you 
have the permissions to do whatever it does, what harm can you do? 

To me, this seems like more of a "patch by sensible admin" problem than a 
security hole.

> cheers,
>
> Chris
>

Have a better one,
	Curtis Maloney.