[Zope] SECURITY: Hotfix 2002-04-15
Peter Bengtsson
mail@peterbe.com
Tue, 16 Apr 2002 12:56:16 +0200
This Hotfix "breaks" CallProfiler 1.4 on Zope 2.5.0 (don't know about the
other Zope versions)
A solution?
On Monday 15 April 2002 22:23, Brian Lloyd wrote:
> This hotfix addresses an important security issue that may affect
> some users of Zope versions 2.0 through 2.5.1 b1.
>
> The issue involves a vulnerability involving "through the web code"
> inadvertently allowing an untrusted user to remotely shut down a
> Zope server by allowing the user to inject special headers into the
> response. If you allow untrusted users to write "through the web"
> code like Python Scripts, DTML Methods, or Page Templates, your Zope
> server is vulnerable.
>
> We highly recommend that any Zope site have this hotfix product
> installed to mitigate the issue. Zope 2.5.1b2 and 2.4.4b2 as
> well as subsequent Zope release versions will contain a fix for the
> issue, at which time the hotfix can be removed.
>
> http://www.zope.org/Products/Zope/Hotfix_2002-04-15/README.txt
>
>
> http://www.zope.org/Products/Zope/Hotfix_2002-04-15/Hotfix_2002-04-15.tgz
>
>
>
> Brian Lloyd brian@zope.com
> V.P. Engineering 540.361.1716
> Zope Corporation http://www.zope.com
>
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )