[Zope] Security Problem
Sat, 29 Mar 2003 18:35:53 -0500
[Dylan Reinhardt wrote (email@example.com) on 3/26/03 2:33 PM]
> On Thu, 2003-03-27 at 01:39, firstname.lastname@example.org wrote:
>> If I log in to plone2 as the user Demo, then go to the following url:
>> The permissions are acquired from the demo site giving full Manager access
>> to my main plone site. This is obviously a serious problem.
> Yep. This is a huge vulnerability in certain configurations.
> But the *real* problem is not that plone1 methods can be applied to
> plone2 objects. That is a feature, not a bug. :-)
(butting into this thread late)
right, this is aquisition. if you have index_html in the same folder as
standard_html_footer and do <dtml-var standard_html_footer> in your
index_html, it pulls that one and not one above. Same idea with folders,
> Rather, the problem is that you have implicitly *permitted* this to take
> place by using common roles across sites. I suspect that you're hardly
> alone in setting up your site this way. In fact, I was auditing one of
> my own sites and stumbled across a variant of this technique that
> allowed arbitrary access to virtually any object on the server. Yikes!
I'm not so sure its because of this...
> I'm working on a howto for this concern... but in the interim, I'd
> strongly recommend taking three steps to secure *any* multi-user,
> multi-host Zope app:
> 1. Reserve the Manager role for server administration only. Just as
> importantly, don't *ever* assign a Manager proxy role unless you are
> certain you've worked out all the implications of that method being
> applied to arbitrary objects.
> 2. Use different roles for different groups of users. Create
> site-specific, function-specific roles like site1_admin, site2_admin,
> site1_user, etc. Use server-wide roles sparingly and define them
> narrowly (send_mail, add_user, etc).
I tested this out and found it did not work. I had two folders (folder1,
folder2) side by side in the same container (folder). I gave a user in
folder1 the role X_admin, which role had all the same perms as manager. this
is the only role this user had. this user was still able to call
folder1/folder2 and do what he liked in folder2.
> 3. Disable/restrict "view folder contents" permissions for all folders
> that are parents of your site root folders. Leaving that permission
> turned on for Anonymous (the default) allows virtually anyone to obtain
> details about your server setup that are quite handy for setting up
> cross-site scripting exploits. It's shockingly easy to do this and
> there are few (if any) reasons why you'd want that feature enabled for
> parents of your site roots anyway.
I don't see this permission anywhere... Do you mean "Access contents
I would add that turning off WebDAV access for anonymous users is a good
george donnelly - http://www.zettai.net/ - "We Love Newbies" :)
Zope Hosting - Dynamic Website Design - Search Engine Promotion
Yahoo, AIM: zettainet - MSN: email@example.com - ICQ: 51907738