[Zope] Security Problem

george donnelly list@zettai.net
Sat, 29 Mar 2003 18:35:53 -0500

[Dylan Reinhardt wrote (zope@dylanreinhardt.com) on 3/26/03 2:33 PM]

> On Thu, 2003-03-27 at 01:39, jamesd@mena.org.au wrote:
>> If I log in to plone2 as the user Demo, then go to the following url:
>> http://my.server/plone2/plone1
>> The permissions are acquired from the demo site giving full Manager access
>> to my main plone site. This is obviously a serious problem.
> Yep.  This is a huge vulnerability in certain configurations.
> But the *real* problem is not that plone1 methods can be applied to
> plone2 objects.  That is a feature, not a bug. :-)

(butting into this thread late)

right, this is aquisition. if you have index_html in the same folder as
standard_html_footer and do <dtml-var standard_html_footer> in your
index_html, it pulls that one and not one above. Same idea with folders,

> Rather, the problem is that you have implicitly *permitted* this to take
> place by using common roles across sites.  I suspect that you're hardly
> alone in setting up your site this way.  In fact, I was auditing one of
> my own sites and stumbled across a variant of this technique that
> allowed arbitrary access to virtually any object on the server.  Yikes!

I'm not so sure its because of this...

> I'm working on a howto for this concern... but in the interim, I'd
> strongly recommend taking three steps to secure *any* multi-user,
> multi-host Zope app:
> 1. Reserve the Manager role for server administration only.  Just as
> importantly, don't *ever* assign a Manager proxy role unless you are
> certain you've worked out all the implications of that method being
> applied to arbitrary objects.
> 2. Use different roles for different groups of users.  Create
> site-specific, function-specific roles like site1_admin, site2_admin,
> site1_user, etc.  Use server-wide roles  sparingly and define them
> narrowly (send_mail, add_user, etc).

I tested this out and found it did not work. I had two folders (folder1,
folder2) side by side in the same container (folder). I gave a user in
folder1 the role X_admin, which role had all the same perms as manager. this
is the only role this user had. this user was still able to call
folder1/folder2 and do what he liked in folder2.

> 3. Disable/restrict "view folder contents" permissions for all folders
> that are parents of your site root folders.  Leaving that permission
> turned on for Anonymous (the default) allows virtually anyone to obtain
> details about your server setup that are quite handy for setting up
> cross-site scripting exploits.  It's shockingly easy to do this and
> there are few (if any) reasons why you'd want that feature enabled for
> parents of your site roots anyway.

I don't see this permission anywhere... Do you mean "Access contents
information" ?

I would add that turning off WebDAV access for anonymous users is a good

george donnelly - http://www.zettai.net/ - "We Love Newbies" :)
Zope Hosting - Dynamic Website Design - Search Engine Promotion
Yahoo, AIM: zettainet - MSN: zettainet@hotmail.com - ICQ: 51907738