You are not logged in Log in Join
You are here: Home » Members » ajung » Security Advisory for Zope 2.7 + 2.8 » View NewsItem
Log in
Name

Password

 
Link icon Forgot your password?
Print

Security Advisory for Zope 2.7 + 2.8

Synopsis:

Due to an error in the cAccessControl module of Zope it is possible to bring down a complete Zope site as documented in

http://mail.zope.org/pipermail/zope-dev/2004-December/024087.html

This exploit causes a segmentation fault of the Python interpreter.

Vulnerable for this exploit are at least all Zope installations that allow untrusted users to edit ZPTs (possibly DTML as well) either through the ZMI or through the file system.

Affected versions:

Zope 2.7.X, Zope 2.8.X

Recommended solution:

Turn off cAccessControl and enable the Python AccessControl implementation in etc/zope.conf (this line is commented in the default configuration):

security-policy-implementation python

A fixed implementation of cAccessControl will be included in the upcoming Zope 2.7.4 beta 2 release.

Copyright (c) 2011 Zope Foundation. All rights reserved. Legal | Contact
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)