Zope Proxy Role Privilege Escalation

2002-03-01T00:00:00
ID OSVDB:5350
Type osvdb
Reporter Matthew Kromer(matt@zope.com)
Modified 2002-03-01T00:00:00

Description

Vulnerability Description

Zope contains a flaw that may allow a malicious user to gain access to files outside the configured security context. The issue is due to Zope failing to honour the security context of the creator of a proxy role when determining access to an object via that role. This flaw may lead to a loss of confidentiality.

Solution Description

Upgrade to version 2.4.4 or 2.5.1 and higher, as these versions have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Zope contains a flaw that may allow a malicious user to gain access to files outside the configured security context. The issue is due to Zope failing to honour the security context of the creator of a proxy role when determining access to an object via that role. This flaw may lead to a loss of confidentiality.

References:

Vendor Specific Solution URL: http://www.zope.org/Products/Zope/hotfixes/ Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1003740 RedHat RHSA: RHSA-2002:060 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-02/0377.html ISS X-Force ID: 8334 CVE-2002-0170 Bugtraq ID: 4229