Zope DTML Role Issue

[Hal Flynn <flynn () SECURITYFOCUS COM>]

For those of you that haven't seen it, this is the advisory that came
across the zope list regarding the DTML role issue.

*** Begin Advisory ***

Brian Lloyd brian () digicool com
Fri, 8 Dec 2000 15:48:52 -0500


Hi all,

Aleksander Salwa has brought a security issue to our attention
that affects all Zope versions up to and including Zope 2.2.4.
We have released a Hotfix product to address the issue that can
be downloaded from zope.org. (Thanks to Aleksander for finding
this and to Shane Hathaway for his quick response in resolving
it!)

The issue involves security registration of "legacy" names for
certain object constructors such as the constructors for DTML
Method objects. Security was not being applied correctly for the
legacy names, making it possible to call those constructors without
the permissions that should have been required. This issue could allow
anonymous users with enough internal knowledge of Zope to instantiate
new DTML Method instances through the Web.

The hotfix for this issue is available on the zope.org web site:

o http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz

We *highly* recommend that any Zope site running versions of
Zope up to and including 2.2.4  have this hotfix product installed
to mitigate the issue.

The hotfix will work for all versions of Zope 2.2.0 and higher. A
future version of Zope will contain the fix for this
issue, and you will be able to uninstall the hot fix after upgrading.


Brian Lloyd        brian () digicool com
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com