SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Zope Vendors:   Zope
Zope Web Application Content Server Proxy Role Error May Let Users Access Unauthorized Objects
SecurityTracker Alert ID:  1003740
SecurityTracker URL:  http://securitytracker.com/id/1003740
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 5 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.2.0 through 2.5.x
Description:   A vulnerability was reported in the Zope web application server. A valid user on the system may be able to access unauthorized objects.

It is reported that the software does not properly check security restrictions for objects with proxy roles. The context of the owner user that created the object with proxy roles is not properly taken into account when determining appropriate access to the object with proxy roles.

Impact:   A valid user defined in a subfolder of a site could be able to access objects at higher levels in the site that they would not normally be able to access.
Solution:   The vendor has released a hot fix, available at:

http://www.zope.org/Products/Zope/Hotfix_2002-03-01/Hotfix_2002-03-01.tgz

The vendor highly recommends that any Zope site running Zope 2.2.0 through Zope 2.5.x have this hotfix product installed to mitigate the issue. Zope 2.5.1 and 2.4.4 will contain a fix for the issue, at which time the hotfix can be removed.

Vendor URL:  www.zope.org/Products/Zope/Hotfix_2002-03-01/security_alert (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [matt@zope.com: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)]


----- Forwarded message from "Matthew T. Kromer" <matt@zope.com> -----

> From: "Matthew T. Kromer" <matt@zope.com>
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020204
> X-Accept-Language: en-us
> To: zope-announce@zope.org
> X-MailScanner: Found to be clean
> Subject: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)
> Errors-To: zope-announce-admin@zope.org
> X-BeenThere: zope-announce@zope.org
> X-Mailman-Version: 2.0.8 (101270)
> Precedence: bulk
> List-Help: <mailto:zope-announce-request@zope.org?subject=help>
> List-Post: <mailto:zope-announce@zope.org>
> List-Subscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>,
> 	<mailto:zope-announce-request@zope.org?subject=subscribe>
> List-Id: Zope Web Application Server Announcements <zope-announce.zope.org>
> List-Unsubscribe: <http://lists.zope.org/mailman/listinfo/zope-announce>,
> 	<mailto:zope-announce-request@zope.org?subject=unsubscribe>
> List-Archive: <http://lists.zope.org/pipermail/zope-announce/>
> Date: Fri, 01 Mar 2002 16:22:12 -0500
> 
> 
> This hotfix addresses an important security issue that may affect some 
> users of Zope versions 2.2.0 through 2.5.x
> 
> The issue involves the checking of security for objects with proxy 
> roles. The context of the owner user that created the object with proxy 
> roles was not being taken into account when determining access to the 
> object with proxy roles. This flaw could allow users defined in 
> subfolders of a site with sufficient privileges to access objects at 
> higher levels in the site that they would not normally be able to access.
> 
> We highly recommend that any Zope site running Zope 2.2.0 through Zope 
> 2.5.x have this hotfix product installed to mitigate the issue. Zope 
> 2.5.1 and 2.4.4 will contain a fix for the issue, at which time the 
> hotfix can be removed.
> 
> 
>      DOWNLOAD
> 
> Download this hotfix from
> 
>    
> http://www.zope.org/Products/Zope/Hotfix_2002-03-01/Hotfix_2002-03-01.tgz
> 
> -- 
> Matt Kromer
> Zope Corporation  http://www.zope.com/ 
> 
> 
> 
> _______________________________________________
> Zope-Announce maillist  -  Zope-Announce@zope.org
> http://lists.zope.org/mailman/listinfo/zope-announce
> 
>  Zope-Announce for Announcements only - no discussions
> 
> (Related lists - 
> Users: http://lists.zope.org/mailman/listinfo/zope
> Developers: http://lists.zope.org/mailman/listinfo/zope-dev )

----- End forwarded message -----

-- 
http://schvin.net/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC