[ Thanks to LinuxNews.com for this link.
]
“Zope Weekly News has reported a problem with its security
model that appears to be potentially pervasive and not necessarily
Zope-specific. This is the first installation in a three-part
series on Zope’s efforts to rein in the trojan, which will be
further explored in LinuxNews.com later this week.”
According to Zope, the problem isn’t necessarily an easy one to
spot. “The issue involves a way that less privileged site users
with the ability to edit DTML [content] could trick more privileged
users into executing their content, taking actions on behalf of the
higher privileged user that he did not intend (and may not even be
aware of).”
“Zope, an Open Source Web application server, consists of
several interoperable components aimed at providing “a flexible
application server package,” Zope officials said. Zope includes an
Internet server, a transactional object database, a search engine,
a Web page templating system, a through-the-Web development and
management tool, and support.”