[Zope] serious security hole in manage users / Manage users permissions?

Laurence Rowe l at lrowe.co.uk
Mon Oct 24 14:11:04 UTC 2011


Potential security issues should not be discussed on public mailing
lists but submitted to security-response at zope.org. Please submit the
full information to that address and do not follow up further on this
list.

Laurence

On 24 October 2011 15:05, Niels Dettenbach <nd at syndicat.com> wrote:
> Dear Zope 2.12/.13 (4.0) devels,
>
>
> as far as i can see i may have found a serious security hole within Zope 2.12
> / 2.13 (4.0 not tested yet) - I'm still investigate here further...
>
>
> problem:
> ======
> Even on fresh Installs of Zope and fresh created instances on it anonymous /
> remote users able to access acl_users/manage_users by the web WITHOUT
> AUTHENTICATION. They can edit / delete / create users and serving roles as
> they want. Other management screens (as manage_main or manage_access aso. are
> protected as usual).
>
> In manage_access Manage user is only allowed for Manager (as by default).
>
> I don't believe that is any new behaviour of newer Zope versions...
>
> I've tested this with (last public) 2.13.10 and last 2.12.20 with python2.6.
>
> If any of the devels want to have a test url pls contact me directly.
>
> Fresh installed zope instances was configured with defaults configs, except
> setting "user zope" (and/or port-base). Tried it with now owner or the admin
> user as owner of the acl_users too.
>
> Can anyone prove this here too? If so, any solution / security fix?
>
>
> many thanks,
> best regards.
>
>
> Niels.
>
> --
> ---
> Niels Dettenbach
> Syndicat IT&Internet
> http://www.syndicat.com/
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> https://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  https://mail.zope.org/mailman/listinfo/zope-announce
>  https://mail.zope.org/mailman/listinfo/zope-dev )
>
>


More information about the Zope mailing list