Zope Vulnerabilities

Created 2/27/01
CVE 2000-0062
CVE 2000-0483
CVE 2000-0725
CVE 2001-0128

Impact

Multiple vulnerabilities could allow a remote attacker to perform unauthorized actions on the server.

Background

Zope is a web application server which comes with support for membership, search, and news. The package includes an internet server, a transactional object database, and other components. Zope also features ZClasses, user-defined extensions to Zope's set of object types which can be created over the web.

The Problems


Vulnerability in ZClasses

In Zope version 2.3.1 b1 and earlier, a user with through-the-web scripting capabilities can view and assign class attributes to ZClasses, possibly allowing them to make inappropriate changes to ZClass instances.


Vulnerability in DocumentTemplate Package

CVE 2000-0483
An inadequately protected method in one of the base classes in the DocumentTemplate package could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. All Zope versions prior to 2.1.7, and Zope 2.2 beta versions prior to 2.2 beta 1 are affected by this vulnerability.


Vulnerability in Local Role calculation

CVE 2001-0128
A vulnerability in the calculation of Local Roles in Zope 2.2.4 and earlier could allow a local user to gain privileges. Zope fails to properly check for folder hierarchy when calculating local roles. A local attacker could use this vulnerability to gain unauthorized access to folders.


Vulnerability in getRoles

CVE 2000-0725
A vulnerability in the getRoles method of user objects contained in the default UserFolder implementation could allow users with the ability to edit DTML to give themselves extra roles for the duration of a single request. All Zope versions prior to 2.2.1 beta 1 are affected by this vulnerability.


Vulnerability in DTML Implementation

CVE 2000-0062
A problem in the DTML implementation in Zope 2.x versions prior to 2.1.2 and Zope 1.x versions prior to 1.10.4 could allow an attacker to perform unauthorized activities on the server.

Resolution

Upgrade to the latest stable or development version of Zope. If that version is 2.3.1b1 or earlier, also install the hotfix for the ZClasses vulnerability.

For users who are unable or do not wish to upgrade, hotfixes have been made available to fix each of the above vulnerabilities.

Where can I read more about this?

The ZClasses vulnerability was reported in a Zope Security Alert. The DocumentTemplate problem was reported in a Zope Security Alert. The vulnerability in the calculation of Local Roles was reported in an X-Force Advisory. The getRoles problem was reported in a Zope Security Alert. The DTML problem was reported in an X-Force Advisory.

For general information about Zope, see An Introduction to Zope by Brian Lloyd.