Zope security alert and hotfix product
We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release.
The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization.
A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect.
http://www.zope.org/Products/Zope/Hotfix_06_16_2000/Hotfix_06_16_2000.tgz
The hotfix will work for all versions of Zope 2.0 and higher, including the recent 2.2 alpha and beta releases. The forthcoming Zope 2.2 beta 2 release will contain a fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2. (though nothing bad will happen if you don't uninstall it).
Note that the 2.1.7 release that was initially made to address this issue has been pulled in favor of this hotfix product, which will allow managers of Zope sites to address this issue without worrying about other implications of upgrading their installations.
While we know of no instances of this issue being used to exploit a site, we highly recommend that any Zope site that is accessible by untrusted clients install the 06/16/2000 hotfix product immediately.