Zope Image and File Update Data Protection Bypass

Medium Nessus Plugin ID 10569


The remote web server contains an application server that fails to protect stored content from modification by remote users.


According to its banner, the remote web server is Zope < 2.2.5. Such versions suffer from a security issue involving incorrect protection of a data updating method on Image and File objects. Because the method is not correctly protected, it is possible for users with DTML editing privileges to update the raw data of a File or Image object via DTML though they do not have editing privileges on the objects themselves.

*** Since Nessus solely relied on the version number of the server,
*** consider this a false positive if the hotfix has already been applied.


Upgrade to Zope 2.2.5 or apply the hotfix referenced in the vendor advisory above.

See Also



Plugin Details

Severity: Medium

ID: 10569

File Name: zope_img_updating.nasl

Version: $Revision: 1.26 $

Type: remote

Family: Web Servers

Published: 2000/12/19

Modified: 2014/05/21

Dependencies: 10107, 17975

Risk Information

Risk Factor: Medium


Base Score: 6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:U/RC:C

Vulnerability Information

Required KB Items: www/zope

Vulnerability Publication Date: 2000/12/12

Reference Information

CVE: CVE-2000-1212

BID: 922

OSVDB: 468, 6283