=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN137
_____________________________________________________________________

DATE                      : 22/03/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Zope.

======================================================================
http://mail.zope.org/pipermail/zope-announce/2007-March/002081.html
______________________________________________________________________

A vulnerability has been discovered in Zope, where by certain types of
misuse of HTTP GET, an attacker could gain elevated privileges. All
Zope versions up to and including 2.10.2 are affected.

Overview

    This hotfix removes the exploit by mandating that security setting
    alterations can only be made through POST requests. This
vulnerability
    has been fixed in the Zope 2.8, 2.9 and 2.10 branches and all future
    releases of Zope will include this fix.

    Do note that this patch only affects direct requests to the security
    methods; any 3rd-party code that calls these methods indirectly may
    still be affected.

Hotfix

    We have prepared a hot fix for this problem
    at:

    "http://www.zope.org/Products/Zope/Hotfix-2007-03-20/
Hotfix-20070320/",
     http://www.zope.org/Products/Zope/Hotfix-2007-03-20/
Hotfix-20070320/.

    This hotfix should be installed as soon as possible.

    To install, simply extract the archive into your Products
    directory in your Zope installation.

    See: "http://www.zope.org/Products/Zope/Hotfix-2007-03-20/
Hotfix-20070320/README.txt",
          http://www.zope.org/Products/Zope/Hotfix-2007-03-20/
Hotfix-20070320/README.txt,

    for installation instructions.

- --
Martijn Pieters

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================