[Zope] Re: REMOTE_USER Security Issue

Cliff Ford Cliff.Ford at ed.ac.uk
Mon May 15 14:44:09 EDT 2006


Hmmm, it was request.environ['REMOTE_USER'] that I found a way to hack. 
However, your comment has caused me to realise that when not logged in, 
Apache is not setting the REMOTE_USER environment variable, so a script 
can set it (in environ). So if I get the Apache boss to set REMOTE_USER 
to None that should fix it? Subtle.

Thanks for making me think.

Cliff

Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Cliff Ford wrote:
> 
>>My people want to adopt a single sign-on system for web applications
>>that is based on the REMOTE_USER environment variable. I have tried out
>>RemoteUserFolder and also adapted exUserFolder to work similarly.
>>
>>My problem is that I figured out how a user who has permission to create
>>python scripts (might work with dtml and page templates too) could
>>access otherwise forbidden content by making calls that pretend to come
>>from another user. Has any one else come across this problem and devised
>>a solution, either in software or organisation?
>>
>>Problem verified with Zope 2.9.2 and latest RemoteUserFolder
> 
> 
> 
> User folders who care need to look at the request's 'environ' dict, e.g.::
> 
>   remote_user = request.environ['REMOTE_USER']  # not hackable
> 
> rather than the default one where untrusted code can scribble::
> 
>   remote_user = request['REMOTE_USER']  # hackable
> 
> 
> Tres.
> - --
> ===================================================================
> Tres Seaver          +1 202-558-7113          tseaver at palladion.com
> Palladion Software   "Excellence by Design"    http://palladion.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFEaMVi+gerLs4ltQ4RAqUIAJsHpcPQTX7jv+db+DRG9TApaIImVQCgqCZn
> lPXu2KJoCLtTOSTyUJTIJ24=
> =3r0r
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )


More information about the Zope mailing list