[Zope-dev] vulnerability in stock Zope
Shane Hathaway
shane@zope.com
Thu, 11 Jul 2002 10:49:21 -0400
seb bacon wrote:
>
>
> Shane Hathaway wrote:
>
>> seb bacon wrote:
>>
>>> Production sites running a stock Zope are vulnerable to abuse of
>>> their server if they have not removed the 'Examples' folder. For
>>> example, anyone could use
>>> http://notcarefulenough.com/Examples/FileLibrary as a warez repository.
>>
>>
>>
>> Are you sure? I get an "Unauthorized" error (but not until I actually
>> try to upload).
>>
>> Shane
>
>
> I'm sure, I've tried it on a few sites.
Wait a minute, now I see it. The "addFile" script has the "Manager"
proxy role! (And apparently my Zope is disregarding the proxy roles.)
That's wrong. I suggest we remove the proxy roles, replacing the proxy
role explanation with the text "you can set proxy roles if you want
anonymous users to be able to use this script".
Shane