[Zope-Annce] [Security advisory] Zope 2.7 + 2.8
lists at andreas-jung.com
Thu Dec 9 12:58:37 EST 2004
Due to an error in the cAccessControl module of Zope it is possible to
bring down a complete Zope site as documented in
This exploit causes a segmentation fault of the Python interpreter.
Vulnerable for this exploit are at least all Zope installations
that allow untrusted users to edit ZPTs (possibly DTML as well) either
through the ZMI or through the file system.
Zope 2.7.X, Zope 2.8.X
Turn off cAccessControl and enable the Python AccessControl
in etc/zope.conf (this line is commented in the default configuration):
A fixed implementation of cAccessControl will be included in the upcoming
Zope 2.7.4 beta 2 release.
Zope 2 Release Manager
More information about the Zope-Announce