[Zope] [Security advisory] Zope 2.7 + 2.8

Andreas Jung lists at andreas-jung.com
Thu Dec 9 12:58:37 EST 2004


Synopsis:

    Due to an error in the cAccessControl module of Zope it is possible to
    bring down a complete Zope site as documented in

     http://mail.zope.org/pipermail/zope-dev/2004-December/024087.html

    This exploit causes a segmentation fault of the Python interpreter.
    Vulnerable for this exploit are at least all Zope installations
    that allow untrusted users to edit ZPTs (possibly DTML as well) either
    through the ZMI or through the file system.


Affected versions:

     Zope 2.7.X, Zope 2.8.X


Recommended solution:

    Turn off cAccessControl and enable the Python AccessControl 
implementation
    in etc/zope.conf (this line is commented in the default configuration):

      security-policy-implemenation python


A fixed implementation of cAccessControl will be included in the upcoming
Zope 2.7.4 beta 2 release.


----
Andreas Jung
Zope 2 Release Manager



More information about the Zope mailing list