[Zope-PTK] Security problems with letting Members use DTML

[Itamar Shtull-Trauring]

This is actually more relevant to zope.org, but will eventually be an issue
with PTK, I think.

Consider the folowing situation on zope.org:  I register a News item, ask
for it to be
cataloged - then quickly delete the object, replace it with a folder of the
same name.  I then put in a DTML Method called manageCatalogForm into it
(which'd be called publish in PTK sites).

Now, according to a reply I got to one of my cataloging requests:

> itamar requests that an object be cataloged.
> 
> View it:
>   http://www.zope.org/Members/itamar/load_site
> 
> Catalog it
>   http://www.zope.org/Members/itamar/load_site/manageCatalogForm
> 
> Make sure to be logged in as superuser to
> perform catalog entry adding.

I know that **superuser** is going to be visiting this DTML Method.  So I
just
add this to my fake manageCatalogForm:

<dtml-if "AUTHNETICATED_USER.getUserName() == 'superuser'">
<dtml-call "PARENTS[-1].manage_delObjects(PARENTS[-1].objectIds())">
</dtml-if>

or add a Manager user to acl_users or whatever.

In the same way, whenever any other user of Zope.org is logged in and
viewing one of my pages, I can do whatever I want to their Member pages.

The problem here of course is that viewing a page in Zope actually execute
codes - the Unix equivalent might be, for example, having '.' as the first
item in PATH.

The obvious solution is disallowing use of DTML.  But this is a general
problem in any Zope install where multiple users have write access, such as
hosting services.

-- 
Itamar S.T.  itamars@ibm.net