[Zope] non-root managers can remove products
Brian Lloyd
brian@digicool.com
Fri, 9 Mar 2001 09:46:33 -0500
> > Now goto http://yourserver.com/a/Control_Panel/manage_main. Log in as
> > bob. The page is displayed, and some of the options work, like you can
> > remove products.
> >
> > Is this a bug or a misunderstanding on my part?
>
> It looks like a big security hole in Zope. The problem here is that
> Control_Panle should not be acquired. Please report the bug into
> Collector.
FYI - I'm looking at this now. What I know so far is that
it is definitely wrong and that it only affects 2.3.x
(2.2.5 and earlier are ok). Stay tuned.
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com