[Zope] Security Problem
Dieter Maurer
dieter@handshake.de
Sat, 29 Mar 2003 02:18:54 +0100
jamesd@mena.org.au wrote at 2003-3-27 11:39 +1000:
> I have a Zope server running with two instances of plone, "Plone1" and
> "Plone2".
> plone2 is a demo site with a user "Demo" having the role 'Manager' available
> to the public. plone1 is a regular plone site.
>
> If I log in to plone2 as the user Demo, then go to the following url:
> http://my.server/plone2/plone1
> The permissions are acquired from the demo site giving full Manager access
> to my main plone site. This is obviously a serious problem.
Zope tries hard to prevent access to protected objects defined outside
of the folder governed by the "acl_users" that authenticated
the user.
You may have found a hole...
Please file a "security related" collector report to
<http://collector.zope.org/Zope>.
Dieter