[Zope] security - am I going crazy ?

Aleksander Salwa ololo@zeus.polsl.gliwice.pl
Fri, 8 Dec 2000 19:11:29 +0100 (CET)


Few days ago I found that on site that I'm currently working on,
everybody can add DTMLMethods and Documents (and maybe do more, I haven't
checked yet, but I think it's bad enough !) by simply entering URL
http://www.mysite.com/manage_addDTMLMethod?id=q1&title=qq1&file=qqq1

After that Zope sends 'Location' header to redirect user to 'manage_main'.
That (manage_main) causes 'Unauthorized' exception.
But that object 'q1' was added !!!

I was thinking that it's a bug in Product. (I use LoginManager, LocalFS,
SiteAccess). I decided to upgrade my Zope from 2.2.1 to 2.2.4 and upgrade
all Products (one good thing so far ;)). No success.
So I did fresh install of Zope 2.2.4, without additional Products, with
with brand new Data.fs. Problem persists !
I have default security settings, so Anonymous can't "Add Documents,
Images, and Files".

Of course user can put any DTML in this object - you know the
consequences... (and if the folder where this object is located is owned
by high-privileged user, then this object is owned by that user too
(through acquisition)).
I just checked: I can't add Folders this way.

What's going on ?!? Have I found very big security hole, or just
I'm going crazy ? :(

P.S.
Just take a look at object with id "haveIFoundABug" in root level
of www.zope.org that I created few seconds ago...

ololo@zeus.polsl.gliwice.pl

/--------------------------------------\
| `long long long' is too long for GCC |
\--------------------------------------/