[Zope] BIG security hole in www.zope.org

davidbro@namshub.org davidbro@namshub.org
Thu, 16 Sep 1999 14:51:59 -0700


I can see it...  I think he's right.

Perhaps this is a general Zope problem.  He got the index_html through
aquisition, and it editted it in place.

Perhaps it should work like NewtonScript -- you could get to object
attributes in a similar way, but if you changed them, it stored the
changed attribute in the local object, rather than in the inheritted
object.

Like this: ObjectA has attribute A, and ObjectB inherits from ObjectA.
You can evaluate an expression like "ObjectB.A" and it would fetch the
value from ObjectA.  But if you chaged the value, like "ObjectB.A =
foo", that created an attribute A in ObjectB.  Copy on write, so to
speak.

On Thu, Sep 16, 1999 at 05:47:53PM -0400, Andy Dustman wrote:
> I found this somewhat by accident. I set up a membership and after awhile,
> wanted to change my index_html. Unfortunately, I didn't get a copy, so it
> is inheriting the one from above. So, I tried this:
> 
> http://www.zope.org/Members/adustman/index_html/manage
> 
> Not only does this work, it lets me make the change. Which is why it
> presently says, "Hey, man, if you can read this, something is seriously
> hosed." On the members list, and every member page with the default
> index_html. Probably the security is set wrong up above (I hope).