[Zope-Annce] Zwiki security alert!

Simon Michael simon@joyful.com
08 Jun 2000 10:11:12 -0700

I've added some 0.6 release notes on zwikiweb
(http://joyful.com/zwiki) and also a

Security Alert!

summary: upgrade to 0.6.1 now!

DTML trojans:
Zwiki versions before 0.6 allowed executable DTML content by
default, with a big vulnerability: a hostile anonymous or unprivileged
user could add harmful DTML code to a page - eg to delete all zope
objects - which could get successfully executed by the next privileged
user to view that page. Zwiki 0.6.1 has changes to alleviate this.

HTML trojans:
The trojan issue is still a problem even with non-DTML pages
which are editable, because most of zwiki's page types are
rendered as HTML. This means hostile users could add harmful HTML or
javascript to be executed by others who view the page.

What this means: 
If you manage a zwiki web that is editable by untrusted users, you
(a) upgrade to 0.6.1 or greater 
(b) familiarize yourself with this issue 
(c) choose a policy you are comfortable with and change your
page types and your view/edit/manage permissions if necessary

For more details, see the commentary on the trojan issue below
and http://www.zope.org/Members/jim/ZopeSecurity/TrojanIssueOverview