[Zope-Annce] Hotfix for cross-site scripting vulnerability
mj at zopatista.com
Tue Mar 20 04:40:30 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
A vulnerability has been discovered in Zope, where by certain types of
misuse of HTTP GET, an attacker could gain elevated privileges. All
Zope versions up to and including 2.10.2 are affected.
This hotfix removes the exploit by mandating that security setting
alterations can only be made through POST requests. This
has been fixed in the Zope 2.8, 2.9 and 2.10 branches and all future
releases of Zope will include this fix.
Do note that this patch only affects direct requests to the security
methods; any 3rd-party code that calls these methods indirectly may
still be affected.
We have prepared a hot fix for this problem
This hotfix should be installed as soon as possible.
To install, simply extract the archive into your Products
directory in your Zope installation.
for installation instructions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
-----END PGP SIGNATURE-----
More information about the Zope-Announce