Zope < 2.3.3 ZClass Permission Mapping Modification Local Privilege Escalation

This script is Copyright (C) 2001-2013 Alert4Web.com


Synopsis :

The remote web server contains an application server that is prone
to a privilege escalation flaw.

Description :

The remote web server uses a version of Zope which is older than
version 2.3.3. In such versions, any user can visit a ZClass
declaration and change the ZClass permission mappings for methods and
other objects defined within the ZClass, possibly allowing for
unauthorized access within the Zope instance.

*** Nessus solely relied on the version number of the server, so if
*** the hotfix has already been applied, this might be a false positive

See also :

http://www.zope.org/Products/Zope/Hotfix_2001-05-01/security_alert

Solution :

Upgrade to Zope 2.3.3 or apply the hotfix referenced in the vendor
advisory above.

Risk factor :

Medium / CVSS Base Score : 4.6
(CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)

Family: Web Servers

Nessus Plugin ID: 10777 ()

Bugtraq ID:

CVE ID: CVE-2001-0567