[Zope] serious security hole in manage users / Manage users permissions?
Niels Dettenbach
nd at syndicat.com
Mon Oct 24 14:05:03 UTC 2011
Dear Zope 2.12/.13 (4.0) devels,
as far as i can see i may have found a serious security hole within Zope 2.12
/ 2.13 (4.0 not tested yet) - I'm still investigate here further...
problem:
======
Even on fresh Installs of Zope and fresh created instances on it anonymous /
remote users able to access acl_users/manage_users by the web WITHOUT
AUTHENTICATION. They can edit / delete / create users and serving roles as
they want. Other management screens (as manage_main or manage_access aso. are
protected as usual).
In manage_access Manage user is only allowed for Manager (as by default).
I don't believe that is any new behaviour of newer Zope versions...
I've tested this with (last public) 2.13.10 and last 2.12.20 with python2.6.
If any of the devels want to have a test url pls contact me directly.
Fresh installed zope instances was configured with defaults configs, except
setting "user zope" (and/or port-base). Tried it with now owner or the admin
user as owner of the acl_users too.
Can anyone prove this here too? If so, any solution / security fix?
many thanks,
best regards.
Niels.
--
---
Niels Dettenbach
Syndicat IT&Internet
http://www.syndicat.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://mail.zope.org/pipermail/zope/attachments/20111024/b88ad32a/attachment.bin
More information about the Zope
mailing list