zope: privilege escalation (NOT!)
Posted Jul 21, 2006 19:22 UTC (Fri) by tseaver
Parent article: zope: privilege escalation
This vulnerability is an "information disclosure" problem, not a
"privilege escalation": as the Ubuntu alert notes:
A remote user with the privilege of editing Zope webpages with
RestructuredText could exploit this to expose arbitrary files that can be
read with the privileges of the Zope server.
The original announcement includes a hotfix product,
which it recommends deploying on any Zope instance which cannot be
upgraded to a recent version of Zope.
I did the analysis, wrote the hotfix product, and checked in the fixes.
to post comments)