SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Zope Vendors:  Zope
Zope Web Application Server ZCatalog Index Access Control Bug Discloses Files to Remote Users
SecurityTracker Alert ID:  1005303
CVE Reference:  CVE-2002-0688   (Links to External Site)
Updated:  Dec 15 2003
Original Entry Date:  Sep 27 2002
Impact:  Disclosure of system information, Disclosure of user information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 2.4.0 through 2.5.1; or any version with ZCatalog plug-in index support installed
Description:  A vulnerability was reported in the Zope web application server software. A remote user can bypass certain access control restrictions.

It is reported that a flaw in the security settings of ZCatalog allows a remote user (or untrusted code) to call arbitrary methods of catalog indexes.
Impact:  A remote user can call arbitrary methods of catalog indexes to view information on the server.
Solution:  The vendor has released a hot fix for users running Zope 2.4.0 through Zope 2.5.1, available at:

http://www.zope.org/Products/Zope/Hotfix_2002-06-14/Hotfix_2002-06-14.t gz

The vendor plans to include this fix in Zope 2.6, at which time the hotfix can be removed.
Vendor URL:  www.zope.org/Products/Zope/Hotfix_2002-06-14/security_alert (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 17 2004 (Debian Issues Fix) Zope Web Application Server ZCatalog Index Access Control Bug Discloses Files to Remote Users   (joey@infodrom.org (Martin Schulze))
Debian has released a fix.


 Source Message Contents
Date:  Thu, 26 Sep 2002 01:39:33 -0400
Subject:  Zope bug (Hotfix 2002-06-14 Alert)

 

http://www.zope.org/Products/Zope/Hotfix_2002-06-14/security_alert

CAN-2002-0688

Hotfix 2002-06-14 Alert

Created by zopematt on 2002/06/14.

This hotfix addresses an important security issue that affects users of
Zope versions 2.4.0 through 2.5.1 (or other Zope versions with
ZCatalog's plug-in index support installed)

The issue involves the security of the indexes of ZCatalog objects. A
flaw in the security settings of ZCatalog allows anonymous users to call
arbitrary methods of catalog indexes. The vulnerability also allows
untrusted code to do the same.

We highly recommend that any Zope site running Zope 2.4.0 through Zope
2.5.1 have this hotfix product installed to mitigate the issue. Zope 2.6
will contain a fix for the issue, at which time the hotfix can be
removed.

You may obtain this hotfix at:

    *

     
http://www.zope.org/Products/Zope/Hotfix_2002-06-14/Hotfix_2002-06-14.tgz


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC