Vigil@nce - Zope: vulnerabilities of AccessControl
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use two vulnerabilities of AccessControl, in order
access to Zope.
Impacted products: Unix (platform), Zope
Severity: 2/4
Creation date: 10/09/2012
DESCRIPTION OF THE VULNERABILITY
The AccessControl module processes Zope2 authentication. It is
impacted by two vulnerabilities.
A restricted module can import code. [severity:2/4; 1047318]
An attacker can override the rolesForPermissionOn variable of
ZopeSecurityPolicy.py. [severity:2/4]
An attacker can therefore use two vulnerabilities of
AccessControl, in order access to Zope.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Zope-vulnerabilities-of-AccessControl-11926