[Zope] Re: REMOTE_USER Security Issue

Cliff Ford Cliff.Ford at ed.ac.uk
Tue May 16 08:15:25 EDT 2006 

I have done some more testing, and despite being told that 
request.environ['REMOTE_USER'] is not hackable I have hacked it and can 
use the hack to get at otherwise forbidden content. For testing I have 
set REMOTE_USER in the zope.conf cgi-environment variable, so I can 
quickly change from being one user to another. I have read the 
RemoteUserFolder source code - that is what led me to the hack.
The hack allows a user who can write a python script in his own folder 
to use it to hack the entire site.

So I still wonder if anyone who is ising the REMOTE_USER environment 
variable is aware of a problem and has a solution.

Cliff

Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Cliff Ford wrote:
> 
>>My people want to adopt a single sign-on system for web applications
>>that is based on the REMOTE_USER environment variable. I have tried out
>>RemoteUserFolder and also adapted exUserFolder to work similarly.
>>
>>My problem is that I figured out how a user who has permission to create
>>python scripts (might work with dtml and page templates too) could
>>access otherwise forbidden content by making calls that pretend to come
>>from another user. Has any one else come across this problem and devised
>>a solution, either in software or organisation?
>>
>>Problem verified with Zope 2.9.2 and latest RemoteUserFolder
> 
> 
> 
> User folders who care need to look at the request's 'environ' dict, e.g.::
> 
>   remote_user = request.environ['REMOTE_USER']  # not hackable
> 
> rather than the default one where untrusted code can scribble::
> 
>   remote_user = request['REMOTE_USER']  # hackable
> 
> 
> Tres.
> - --
> ===================================================================
> Tres Seaver          +1 202-558-7113          tseaver at palladion.com
> Palladion Software   "Excellence by Design"    http://palladion.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFEaMVi+gerLs4ltQ4RAqUIAJsHpcPQTX7jv+db+DRG9TApaIImVQCgqCZn
> lPXu2KJoCLtTOSTyUJTIJ24=
> =3r0r
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )

More information about the Zope mailing list