It is *not* possible for the anonymous user to read sensitive information like the user folder in any version of eZ publish.
It is claimed in this forum thread that eZ publish versions between 3.4 and 3.6 is affected by this flaw. This is not true. We have tested and can confirm that the following versions do indeed behave as expected:
3.4.0
3.4.7
3.5.0 3.5.10
Lazaro, since you have this misbehavior on your sites it must be because you have modifided the anonymous' privileges. eZ publish is not shipped with such privileges on the anonymous user by default.
Actually the problem was detected in EZP 3.4.2, and EZP 3.5.1
I can assure you that we haven't modify any privileges (at least explicitly ) for the anonymous user here, so I think the problem could be related to our usual setup
Our setup are tipically done using the ez setup wizard, using URL access, two languages (pt and uk) and corporate package plus some features like (forums, etc) at setup time, every site affected had been added a second design siteaccess folder manually, after finishing the setup
using URL access,
two languages (portugeese and uk)
corporate package plus features like (forums, mediafiles and shop) at setup time
I am still unable to reproduce this.
After installation, the anonymous has the following roles (which is correct):
content read Section( Standard )
content pdf Section( Standard )
shop buy No limitations
rss read No limitations user login SiteAccess( corporate )
What kind of policies do you have in your installation for the anonymous user?
Best regards, VidarL
You must be logged in to post messages in this topic!
