[Zope-Annce] Zwiki security alert!
08 Jun 2000 10:11:12 -0700
I've added some 0.6 release notes on zwikiweb
(http://joyful.com/zwiki) and also a
summary: upgrade to 0.6.1 now!
Zwiki versions before 0.6 allowed executable DTML content by
default, with a big vulnerability: a hostile anonymous or unprivileged
user could add harmful DTML code to a page - eg to delete all zope
objects - which could get successfully executed by the next privileged
user to view that page. Zwiki 0.6.1 has changes to alleviate this.
The trojan issue is still a problem even with non-DTML pages
which are editable, because most of zwiki's page types are
rendered as HTML. This means hostile users could add harmful HTML or
What this means:
If you manage a zwiki web that is editable by untrusted users, you
(a) upgrade to 0.6.1 or greater
(b) familiarize yourself with this issue
(c) choose a policy you are comfortable with and change your
page types and your view/edit/manage permissions if necessary
For more details, see the commentary on the trojan issue below