This hotfix addresses an important security issue that affects Zope version 2.3.3, all Zope 2.4.0 alpha and beta releases, as well as the final release of Zope 2.4.0.

The issue involves an error in the _check_context method of the AccessControl.User.BasicUser class. The bug made it possible to access Zope objects via acquisition that a user would not

otherwise have access to. This issue could allow users with enough internal knowledge of Zope to perform actions higher in the object

hierarchy than they should be able to.

We highly recommend that any Zope site running Zope 2.3.3, Zope 2.4.0 final or any alpha or beta version of 2.4.0 have this hotfix product installed to mitigate the issue. Zope 2.4.1 will contain a

fix for the issue, at which time the hotfix can be removed. Zope

versions prior to 2.3.3 are not affected by this issue.

Thanks to Ron Bickers for providing a reproducible test case

README

http://www.zope.org/Products/Zope/Hotfix_2001-08-04/Hotfix_2001_08_04.tgz

Overview

This hotfix removes the exploit by mandating that security setting alterations can only be made through POST requests. This vulnerability has been fixed in the Zope 2.8, 2.9 and 2.10 branches and all future releases of Zope will include this fix.

Do note that this patch only affects direct requests to the security methods; any 3rd-party code that calls these methods indirectly may still be affected.

Hotfix

We have prepared a hot fix for this problem at:

http://www.zope.org/Products/Zope/Hotfix-2007-03-20/Hotfix-20070320/.

This hotfix should be installed as soon as possible.

To install, simply extract the archive into your Products directory in your Zope installation.

See: http://www.zope.org/Products/Zope/Hotfix-2007-03-20/Hotfix-20070320/README.txt,

for installation instructions.

References

CVE

CVE-2007-0240

The issue involves the security of the indexes of ZCatalog objects. A flaw in the security settings of ZCatalog allows anonymous users to call arbitrary methods of catalog indexes. The vulnerability also allows untrusted code to do the same.

We highly recommend that any Zope site running Zope 2.4.0 through Zope 2.5.1 have this hotfix product installed to mitigate the issue. Zope 2.6 will contain a fix for the issue, at which time the hotfix can be removed.

You may obtain this hotfix at:

• http://zope.org/Products/Zope/Hotfix_2002-06-14/hotfix_for_240_to_251/Hotfix_2002-06-14.tgz

This hotfix addresses an important security issue that affects Zope versions 2.2.0 through 2.4.1.

The issue involves the "fmt" attribute of dtml-var tags. Without this correction, Zope does not check security access to methods invoked through "fmt". This issue could allow partially trusted users with enough knowledge of Zope to call, in a limited way, methods they would not otherwise be allowed to access.

We highly recommend that any Zope site running Zope 2.2.0 through Zope 2.4.1 have this hotfix product installed to mitigate the issue. Zope 2.4.2 will contain a fix for the issue, at which time the hotfix can be removed.

README

http://www.zope.org/Products/Zope/Hotfix_2001-09-28

This hotfix addresses an important security issue that may affect some users of Zope versions 2.0 through 2.5.1 b1.

The issue involves a vulnerability involving "through the web code" inadvertently allowing an untrusted user to remotely shut down a Zope server by allowing the user to inject special headers into the response. If you allow untrusted users to write "through the web" code like Python Scripts, DTML Methods, or Page Templates, your Zope server is vulnerable.

We highly recommend that any Zope site have this hotfix product installed to mitigate the issue. Zope 2.5.1b2 and 2.4.4b2 as well as subsequent Zope release versions will contain a fix for the issue, at which time the hotfix can be removed.

README

http://www.zope.org/Products/Zope/Hotfix_2002-04-15/Affects Zope 2.0 - 2.5.1/Hotfix_2002-04-15.tgz

This hotfix addresses an important security issue that may affect some users of Zope versions 2.2.0 through 2.5.x

The issue involves the checking of security for objects with proxy roles. The context of the owner user that created the object with proxy roles was not being taken into account when determining access to the object with proxy roles. This flaw could allow users defined in subfolders of a site with sufficient privileges to access objects at higher levels in the site that they would not normally be able to access.

We highly recommend that any Zope site running Zope 2.2.0 through Zope 2.5.x have this hotfix product installed to mitigate the issue. Zope 2.5.1 and 2.4.4 will contain a fix for the issue, at which time the hotfix can be removed.

README

http://www.zope.org/Products/Zope/Hotfix_2002-03-01/Hotfix_2002-03-01.tgz

This hotfix addresses an important security issue that affects Zope versions 2.2.0, 2.2.1, and 2.2.2.

It is sometimes possible to access, through a URL only, objects protected by a role which the user has in some context, but not in the context of the accessed object.

Currently, the validate() method of all known user folder implementations validates against the users' roles in the context of PARENTS[0]. PARENTS[0] refers to the acquisition context of the object being published. All security checks, however, should check an object's containment, not its acquisition context.

validate(), therefore, needs to verify the user's roles in the context of the object being published. This hotfix forces that to occur by temporarily leaving the object at PARENTS[0] then removing it after validation has been performed.

Unfortunately, this is not an ideal correction. In the near future all user folder validate() implementations need to perform security checks using the new Zope security policy subsystem. Until that is completed, this hotfix should close the security problem.

While we know of no instances of this issue being used to exploit a site, we recommend that any Zope 2.2.x site that is accessible by untrusted clients have this hotfix product installed to mitigate the issue.

README

http://www.zope.org/Products/Zope/Hotfix_2000-10-02/Hotfix_2000-10-02.tar.gz

The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.

This hotfix addresses an important security issue that affects Zope versions 2.2.0 up to and including Zope 2.2.4. (Zope 2.1.x is not affected by this issue).

The issue involves security registration of "legacy" names for certain object constructors such as the constructors for DTML Method objects. Security was not being applied correctly for the legacy names, making it possible to call those constructors without the permissions that should have been required. This issue could allow anonymous users with enough internal knowledge of Zope to instantiate new DTML Method instances through the Web.

We highly recommend that any Zope site running versions of Zope 2.2.0 up to and including 2.2.4 have this hotfix product installed to mitigate the issue.

README

http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz

The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.

This hotfix addresses an important security issue that affects Zope version 2.3.0 and the current 2.3.1 beta 1 release.

The issue involves an error in the aq_inContextOf method of objects that support acquisition. A recent change to the access validation machinery made this bug begin to affect security restrictions. The bug, with the change to validation, made it possible to access Zope objects via acquisition that a user would not otherwise have access to. This issue could allow users with enough internal knowledge of Zope to perform actions higher in the object hierarchy than they should be able to.

We highly recommend that any Zope site running Zope 2.3.0 final or any alpha or beta version of 2.3.0 or 2.3.1 beta 1 have this hotfix product installed to mitigate the issue. Zope 2.3.1 beta 2 will contain a fix for the issue, at which time the hotfix can be removed. Zope versions prior to 2.3.0 are not affected by this issue.

README

http://www.zope.org/Products/Zope/Hotfix_2001-03-08/Hotfix_2001-03-08.tgz

This hotfix addresses a potential denial-of-service vulnerability in applications that use the Python cgi module (cgi.py) for parsing of "multipart" Web form data (Zope uses this functionality internally).

More detailed information is available in the Python bug tracker at SourceForge:

http://sourceforge.net/tracker/?group_id=5470&atid=105470&func=detail&aid=443120

While we are not aware of any instances of abuse of this vulnerability, we highly recommend that any Zope site running versions of Zope up to and including 2.4.0 have this hotfix product installed to mitigate this issue. (Zope 2.4.1 will not require the installation of a separate hotfix).

README

http://www.zope.org/Products/Zope/Hotfix_2001-07-25/Hotfix_2001-07-25.tar.gz

This hotfix addresses an important security issue that affects all Zope versions up to and including Zope 2.3.2.

The issue is related to ZClasses in that any user can visit a ZClass declaration and change the ZClass permission mappings for methods and other objects defined within the ZClass, possibly allowing for unauthorized access within the Zope instance.

We highly recommend that any Zope site running versions of Zope up to and including 2.3.2 have this hotfix product installed to mitigate this issue. Further releases of Zope 2.3 (as well as Zope 2.4) will contain a fix for the issue, at which time the hotfix can be removed.

README

http://www.zope.org/Products/Zope/Hotfix_2001-05-01/Hotfix_2001-05-01.tgz

This hotfix addresses and important security issue that affects Zope versions up to and including Zope 2.3.1 b1.

The issue is related to ZClasses in that a user with through-the-web scripting capabilities on a Zope site can view and assign class attributes to ZClasses, possibly allowing them to make inappropriate changes to ZClass instances.

This patch also fixes problems in the ObjectManager, PropertyManager, and PropertySheet classes related to mutability of method return values which could be perceived as a security problem.

We highly recommend that any Zope site running versions of Zope up to and including 2.3.1 b1 have this hotfix product installed to mitigate these issues if the site is accessible by untrusted users who have through-the-web scripting privileges.

README

http://www.zope.org/Products/Zope/Hotfix_2001-02-23/Hotfix_2001-02-23.tgz

This hotfix addresses a potential security issue that affects Zope versions up to and including Zope 2.2.4.

The issue involves incorrect protection of a data updating method on Image and File objects. Because the method was not correctly protected, it was possible for users with DTML editing priveleges to update the raw data of a File or Image object via DTML though they did not have editing priveleges on the objects themselves.

We highly recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges.

README

http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz

The hotfix will work for all versions of Zope 2.1.x and higher. A Zope 2.2.5 release later this week will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.

This hotfix addresses an important security issue that affects Zope versions up to and including Zope 2.2.4.

The issue involves the computation of local roles. In some situations the computation was not climbing the correct hierarchy of folders, sometimes granting local roles inappropriately. This could allow users with privileges in one folder to gain the same privileges in another folder.

We highly recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue.

README

http://www.zope.org/Products/Zope/Hotfix_2000-12-15a/Hotfix_2000-12-15a.tgz

The hotfix will work for all versions of Zope 2.1.x and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.

This hotfix addresses an important security issue that affects Zope versions up to and including Zope 2.2.2.

The issue involves the fact that the subscript notation that can be used to access items of ObjectManagers (Folders) did not correctly restrict return values to only actual sub items. This made it possible to access names that should be private from DTML (objects with names beginning with the underscore _ character). This could allow DTML authors to see private implementation data structures and in certain cases possibly call methods that they shouldn't have access to from DTML.

While we know of no instances of this issue being used to exploit a site, we recommend that any Zope 2.2.x site that allows DTML to be edited by untrusted users apply this Hotfix.

README

http://www.zope.org/Products/Zope/Hotfix_2000-10-11/Hotfix_2000-10-11.tgz

The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.

We recently became aware of an important security issue that affected all released Zope versions prior to 2.2.1. A Hotfix product was released (Hotfix_08_09_2000) to correct the issue, but that hotfix missed one aspect of the issue.

The issue involved the fact that the getRoles method of user objects contained in the default UserFolder implementation returns a mutable Python type. Because the mutable object is still associated with the persistent User object, users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the request processing.

Further investigation revealed that it was possible to access the mutable attribute directly to perform the same exploit. This hotfix release (2000-08-17) has been made to resolve both aspects of the issue. Note that this hotfix supercedes the 2000-08-09 hotfix release.

While we know of no instances of this issue being used to exploit a site, we highly recommend that any Zope site running versions of Zope prior to 2.2.1 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges.

A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect.

http://www.zope.org/Products/Zope/Hotfix_2000-08-17/Hotfix_2000-08-17.tgz

The hotfix will work for all versions of Zope 2.0 and higher. The forthcoming Zope 2.2.1 release will contain the fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2.1 or higher (though nothing bad will happen if you don't uninstall it).

We have recently become aware of an important security issue that affects all released Zope versions prior to 2.2.1 beta 1.

The issue involves the fact that the getRoles method of user objects contained in the default UserFolder implementation returns a mutable Python type. Because the mutable object is still associated with the persistent User object, users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the request processing.

While we know of no instances of this issue being used to exploit a site, we highly recommend that any Zope site running versions of Zope prior to 2.2.1 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges.

A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect.

http://www.zope.org/Products/Zope/Hotfix_08_09_2000/Hotfix_08_09_2000.tgz

The hotfix will work for all versions of Zope 2.0 and higher. The forthcoming Zope 2.2.1 beta 1 release will contain the fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2.1 beta 1 or higher (though nothing bad will happen if you don't uninstall it).

We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release.

The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization.

A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect.

http://www.zope.org/Products/Zope/Hotfix_06_16_2000/Hotfix_06_16_2000.tgz

The hotfix will work for all versions of Zope 2.0 and higher, including the recent 2.2 alpha and beta releases. The forthcoming Zope 2.2 beta 2 release will contain a fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2. (though nothing bad will happen if you don't uninstall it).

Note that the 2.1.7 release that was initially made to address this issue has been pulled in favor of this hotfix product, which will allow managers of Zope sites to address this issue without worrying about other implications of upgrading their installations.

While we know of no instances of this issue being used to exploit a site, we highly recommend that any Zope site that is accessible by untrusted clients install the 06/16/2000 hotfix product immediately.