[Zope] Security Problem

Dieter Maurer dieter@handshake.de
Sat, 29 Mar 2003 02:18:54 +0100


jamesd@mena.org.au wrote at 2003-3-27 11:39 +1000:
 > I have a Zope server running with two instances of plone, "Plone1" and
 > "Plone2".
 > plone2 is a demo site with a user "Demo" having the role 'Manager' available
 > to the public. plone1 is a regular plone site.
 > 
 > If I log in to plone2 as the user Demo, then go to the following url:
 > http://my.server/plone2/plone1
 > The permissions are acquired from the demo site giving full Manager access
 > to my main plone site. This is obviously a serious problem.

Zope tries hard to prevent access to protected objects defined outside
of the folder governed by the "acl_users" that authenticated
the user.

You may have found a hole...

Please file a "security related" collector report to
<http://collector.zope.org/Zope>.


Dieter