SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Zope Vendors:   Zope
Zope Web Application Server ZCatalog Index Access Control Bug Discloses Files to Remote Users
SecurityTracker Alert ID:  1005303
SecurityTracker URL:  http://securitytracker.com/id/1005303
CVE Reference:   CVE-2002-0688   (Links to External Site)
Updated:  Dec 15 2003
Original Entry Date:  Sep 27 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.4.0 through 2.5.1; or any version with ZCatalog plug-in index support installed
Description:   A vulnerability was reported in the Zope web application server software. A remote user can bypass certain access control restrictions.

It is reported that a flaw in the security settings of ZCatalog allows a remote user (or untrusted code) to call arbitrary methods of catalog indexes.

Impact:   A remote user can call arbitrary methods of catalog indexes to view information on the server.
Solution:   The vendor has released a hot fix for users running Zope 2.4.0 through Zope 2.5.1, available at:

http://www.zope.org/Products/Zope/Hotfix_2002-06-14/Hotfix_2002-06-14.tgz

The vendor plans to include this fix in Zope 2.6, at which time the hotfix can be removed.

Vendor URL:  www.zope.org/Products/Zope/Hotfix_2002-06-14/security_alert (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 17 2004 (Debian Issues Fix) Zope Web Application Server ZCatalog Index Access Control Bug Discloses Files to Remote Users
Debian has released a fix.



 Source Message Contents

Subject:  Zope bug (Hotfix 2002-06-14 Alert)


http://www.zope.org/Products/Zope/Hotfix_2002-06-14/security_alert

CAN-2002-0688

Hotfix 2002-06-14 Alert

Created by zopematt on 2002/06/14.

This hotfix addresses an important security issue that affects users of
Zope versions 2.4.0 through 2.5.1 (or other Zope versions with
ZCatalog's plug-in index support installed)

The issue involves the security of the indexes of ZCatalog objects. A
flaw in the security settings of ZCatalog allows anonymous users to call
arbitrary methods of catalog indexes. The vulnerability also allows
untrusted code to do the same.

We highly recommend that any Zope site running Zope 2.4.0 through Zope
2.5.1 have this hotfix product installed to mitigate the issue. Zope 2.6
will contain a fix for the issue, at which time the hotfix can be
removed.

You may obtain this hotfix at:

    *

     
http://www.zope.org/Products/Zope/Hotfix_2002-06-14/Hotfix_2002-06-14.tgz


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC