[Zope] Security Problem

Dylan Reinhardt zope@dylanreinhardt.com
29 Mar 2003 16:26:14 -0800


On Sat, 2003-03-29 at 15:35, george donnelly wrote:
> In fact, I was auditing one of
> > my own sites and stumbled across a variant of this technique that
> > allowed arbitrary access to virtually any object on the server.  Yikes!
> 
> I'm not so sure its because of this...

What do you think it might be?


> > 2. Use different roles for different groups of users.  Create
> > site-specific, function-specific roles like site1_admin, site2_admin,
> > site1_user, etc.  Use server-wide roles  sparingly and define them
> > narrowly (send_mail, add_user, etc).
> 
> I tested this out and found it did not work. I had two folders (folder1,
> folder2) side by side in the same container (folder). I gave a user in
> folder1 the role X_admin, which role had all the same perms as manager. this
> is the only role this user had. this user was still able to call
> folder1/folder2 and do what he liked in folder2.

I'm not sure if there's enough information to know what you're saying,
exactly.  That won't stop me from responding, though. :-)

The roots of most virtual hosts are going to be viewable by Anonymous,
as will much of their content.  As such, those objects can be acquired
at will by anyone.  

It's very difficult to prevent acquisition from allowing the *viewing*
of objects cross-site since keeping these things viewable by Anonymous
is pretty darn convenient.  

In many situations, it could be condidered a problem that it's possible
to make any part of site2 *appear* to be a part of site1... but again,
that's a problem that boils down to two sites sharing the same role,
Anonymous.  I'm not saying that creating different Anonymous roles is
warranted, BTW... but as far as I can tell, role sharing is the nature
of the problem.

If you configure priv_method in folder2 such that it is only viewable by
folder2_admin, you won't be able to see it if your role is
folder1_admin.  This suggests that the roles required for privileged
operations should be tailored very carefully so as to available only to
those intended to have them.  Re-using roles is too permissive in most
cases.

Or have you really found a way to circumvent site-specific roles?

> 
> > 3. Disable/restrict "view folder contents" permissions for all folders
> 
> I don't see this permission anywhere... Do you mean "Access contents
> information" ?

Yes... that's what it's called.  I think it was "view folder contents"
at one point, but it's obviously not called that any more.  :-)

> 
> I would add that turning off WebDAV access for anonymous users is a good
> idea.

Absolutely.

Dylan