[ZCM] [ZC] 1700/ 2 Reject "auth of accounts across instances is
flawed"
Collector: Zope Bugs, Features,
and Patches ...
zope-coders-admin at zope.org
Sat Feb 12 03:19:03 EST 2005
Issue #1700 Update (Reject) "auth of accounts across instances is flawed"
** Security Related ** (Public)
Status Rejected, Zope/bug critical
To followup, visit:
http://zope.org/Collectors/Zope/1700
==============================================================
= Reject - Entry #2 by ajung on Feb 12, 2005 3:19 am
Status: Pending => Rejected
Cookies are tied to the 'path', the protocol 'http' or 'https' and
the hostname but *not* to the port. If cookies would be tied to the port number as well than it would be an issue of the browser to store the additional port information *but* this is not a Zope issue.
________________________________________
= Request - Entry #1 by dpwildboar on Feb 11, 2005 5:51 pm
create two zope instances
create an admin account for each named admin (not sure if important, but both have same password)
login as admin on one (say http://my.machine.org:8080/manage)
then just change port to the other (eg: http://my.machine.org:8380/manage)
your logged in as an admin on the other instance... =/
even if the password was not the same i am guessing that this will work. however, i haven't tried this yet. either way it shouldn't allow even with the same password.
also this might mean that if you had two accounts that were by chance the same, that one account could log into anothers on a different server (eg: naming convention of first name last initial like say david wilbur = davidw and david williams = davidw) haven't tested this out. but, in effect 'admin' on both machines is a example of this.
side note... this could be due to use of Cookie Crumbler 1.2 (http://hathawaymix.org/Software/CookieCrumbler) don't have time atm to test if this happens without it installed.
==============================================================
More information about the Zope-Collector-Monitor
mailing list