[Zope] Security Problem

Dylan Reinhardt zope@dylanreinhardt.com
26 Mar 2003 19:33:02 +0000

On Thu, 2003-03-27 at 01:39, jamesd@mena.org.au wrote:
> If I log in to plone2 as the user Demo, then go to the following url:
> http://my.server/plone2/plone1
> The permissions are acquired from the demo site giving full Manager access
> to my main plone site. This is obviously a serious problem.

Yep.  This is a huge vulnerability in certain configurations.

But the *real* problem is not that plone1 methods can be applied to
plone2 objects.  That is a feature, not a bug. :-)

Rather, the problem is that you have implicitly *permitted* this to take
place by using common roles across sites.  I suspect that you're hardly
alone in setting up your site this way.  In fact, I was auditing one of
my own sites and stumbled across a variant of this technique that
allowed arbitrary access to virtually any object on the server.  Yikes!

I'm working on a howto for this concern... but in the interim, I'd
strongly recommend taking three steps to secure *any* multi-user,
multi-host Zope app:

1. Reserve the Manager role for server administration only.  Just as
importantly, don't *ever* assign a Manager proxy role unless you are
certain you've worked out all the implications of that method being
applied to arbitrary objects.

2. Use different roles for different groups of users.  Create
site-specific, function-specific roles like site1_admin, site2_admin,
site1_user, etc.  Use server-wide roles  sparingly and define them
narrowly (send_mail, add_user, etc).  

3. Disable/restrict "view folder contents" permissions for all folders
that are parents of your site root folders.  Leaving that permission
turned on for Anonymous (the default) allows virtually anyone to obtain
details about your server setup that are quite handy for setting up
cross-site scripting exploits.  It's shockingly easy to do this and
there are few (if any) reasons why you'd want that feature enabled for
parents of your site roots anyway.