You are not logged in Log in Join
You are here: Home » Download Zope Products » Zope » Hotfix_2000-12-08 » Zope hotfix: constructor alias security

Log in
Name

Password

 

Zope hotfix: constructor alias security

This hotfix addresses an important security issue that affects Zope versions 2.2.0 up to and including Zope 2.2.4. (Zope 2.1.x is not affected by this issue).

The issue involves security registration of "legacy" names for certain object constructors such as the constructors for DTML Method objects. Security was not being applied correctly for the legacy names, making it possible to call those constructors without the permissions that should have been required. This issue could allow anonymous users with enough internal knowledge of Zope to instantiate new DTML Method instances through the Web.

We highly recommend that any Zope site running versions of Zope 2.2.0 up to and including 2.2.4 have this hotfix product installed to mitigate the issue.

README

http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz

The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.