[Zope] BIG security hole in www.zope.org

Tad Murphy murphyt@cybertad.com
Thu, 16 Sep 1999 17:02:26 -0500


I took the comment off the publicly viewable site... not to hide the
security hole, but to keep from giving the zope.org site a bad name... let's
report holes to Digital Creations, not exploit them and make the site look
bad... I'm sure you meant well...

Tad Murphy
"cybertad"
http://www.zope.org/Members/cybertad/

----- Original Message -----
From: Andy Dustman <adustman@comstar.net>
To: <zope@zope.org>
Sent: Thursday, September 16, 1999 4:47 PM
Subject: [Zope] BIG security hole in www.zope.org


| I found this somewhat by accident. I set up a membership and after awhile,
| wanted to change my index_html. Unfortunately, I didn't get a copy, so it
| is inheriting the one from above. So, I tried this:
|
| http://www.zope.org/Members/adustman/index_html/manage
|
| Not only does this work, it lets me make the change. Which is why it
| presently says, "Hey, man, if you can read this, something is seriously
| hosed." On the members list, and every member page with the default
| index_html. Probably the security is set wrong up above (I hope).
|
| --
| andy dustman       |     programmer/analyst     |      comstar.net, inc.
| telephone: 770.485.6025 / 706.549.7689 | icq: 32922760 | pgp: 0xc72f3f1d
|
|
| _______________________________________________
| Zope maillist  -  Zope@zope.org
| http://www.zope.org/mailman/listinfo/zope
|
| (To receive general Zope announcements, see:
| http://www.zope.org/mailman/listinfo/zope-announce
|
| For developer-specific issues, zope-dev@zope.org -
| http://www.zope.org/mailman/listinfo/zope-dev )
|