[Zope] security

Joachim Werner joe@iuveno-net.de
Fri, 15 Jun 2001 10:00:55 +0200


> If you go to www.yoursite.com/manage_workspace
>
> you can access the manage screens of zope
>
> THIS IS NOT GOOD
>
> how can you overcome this
>
> I am using solaris v8 with apache as the web server talking to another
solaris box with zope 2-3-0
>
> I have just found a way to edit the source code so that it emails me with
the user name and password whenever the next person logs in.  I can also
edit any source code within the site.
>
> REQUIRE QUICK RESPONSE

You aren't paid by Microsoft or so? ;-)

No, seriously, there is no known security bug as you describe it. If your
authenticated user or anonymous user has been granted management rights, he
will see the management screens. If not, he won't.


Joachim.