This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.
The remote Mandrake Linux host is missing one or more security
The exploit that was not fixed with the previous Zope hotfix involves
the getRoles method of user objects contained in the default
UserFolder implementation returning a mutable Python type. Because the
mutable object is still associated with the persistent User object,
users with the ability to edit DTML could arrange to give themselves
extra roles for the duration of a single request by mutating the roles
list as part of the request processing. Further investigation revealed
that it was possible to access the mutable attribute directly to
perform the same exploit.
Please note that this update supercedes the previous advisory dated
August 16th (MDKSA-2000:035).
Update the affected packages.
Risk factor :
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now