[Zope] REMOTE_USER Security Issue

Cliff Ford Cliff.Ford at ed.ac.uk
Sun May 14 18:39:12 EDT 2006


My people want to adopt a single sign-on system for web applications 
that is based on the REMOTE_USER environment variable. I have tried out 
RemoteUserFolder and also adapted exUserFolder to work similarly.

My problem is that I figured out how a user who has permission to create 
python scripts (might work with dtml and page templates too) could 
access otherwise forbidden content by making calls that pretend to come 
from another user. Has any one else come across this problem and devised 
a solution, either in software or organisation?

Problem verified with Zope 2.9.2 and latest RemoteUserFolder.

Cliff


More information about the Zope mailing list