Log in
Forgot your password?
Zope hotfix update
We recently became aware of an important security issue that affected all released Zope versions prior to 2.2.1. A Hotfix product was released (Hotfix_08_09_2000) to correct the issue, but that hotfix missed one aspect of the issue.
The issue involved the fact that the getRoles method of user objects contained in the default UserFolder implementation returns a mutable Python type. Because the mutable object is still associated with the persistent User object, users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the request processing.
Further investigation revealed that it was possible to access the mutable attribute directly to perform the same exploit. This hotfix release (2000-08-17) has been made to resolve both aspects of the issue. Note that this hotfix supercedes the 2000-08-09 hotfix release.
While we know of no instances of this issue being used to exploit a site, we highly recommend that any Zope site running versions of Zope prior to 2.2.1 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges.
A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect.
http://www.zope.org/Products/Zope/Hotfix_2000-08-17/Hotfix_2000-08-17.tgz
The hotfix will work for all versions of Zope 2.0 and higher. The forthcoming Zope 2.2.1 release will contain the fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2.1 or higher (though nothing bad will happen if you don't uninstall it).