|
Family: Web Servers --> Category: infos
Zope Image Updating Method Vulnerability Scan
Vulnerability Scan Summary Checks for Zope
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains an application server that fails to
protect stored content from modification by remote users.
Description :
According to its banner, the remote web server is Zope < 2.2.5. Such
versions suffer from a security issue involving incorrect protection
of a data updating method on Image and File objects. Because the
method is not correctly protected, it is possible for users with DTML
editing rights to update the raw data of a File or Image object
via DTML though they do not have editing rights on the objects
themselves.
*** Since Nessus solely relied on the version number of your server,
*** consider this a false positive if you applied the hotfix already.
See also :
http://mail.zope.org/pipermail/zope-announce/2000-December/000323.html
http://www.zope.org/Products/Zope/Hotfix_2000-12-18/security_alert
Solution :
Upgrade to Zope 2.2.5 or apply the hotfix referenced in the vendor
advisory above.
Threat Level:
Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:R/C:P/A:P/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|