[Zope] BIG security hole in www.zope.org

Andy Dustman adustman@comstar.net
Thu, 16 Sep 1999 17:52:45 -0400 (EDT)


On Thu, 16 Sep 1999, Andy Dustman wrote:

> I found this somewhat by accident. I set up a membership and after awhile,
> wanted to change my index_html. Unfortunately, I didn't get a copy, so it
> is inheriting the one from above. So, I tried this:
> 
> http://www.zope.org/Members/adustman/index_html/manage
> 
> Not only does this work, it lets me make the change. Which is why it
> presently says, "Hey, man, if you can read this, something is seriously
> hosed." On the members list, and every member page with the default
> index_html. Probably the security is set wrong up above (I hope).

It's way worse than I thought: You can do the same thing with at least
standard_html_footer! Hope all you Digital Creations guys haven't gone
home yet...

-- 
andy dustman       |     programmer/analyst     |      comstar.net, inc.
telephone: 770.485.6025 / 706.549.7689 | icq: 32922760 | pgp: 0xc72f3f1d