It was found that any user including the guest user may have been able
to update any resource in the database without needing to login as the
As soon as the problem was located it was investigated and fixed, as a
team we are committed to the security of the eXist XML Native Database.
If you encounter any security concerns please dont hesitate to let us
This has been fixed in eXist SVN as of 2006/03/24 16:04:56 GMT it was
Attached is a patch for org.exist.storage.BrokerPool.
If you cannot apply the patch and wish to manually make the change
yourself, please add the next two lines to the end of the sync() method
//After setting the SYSTEM_USER above we must change back to the DEFAULT
User to prevent a security problem
You will then need to rebuild your eXist in place for these changes to
take affect, this is done by executing the build.sh/build.bat script.
Devon Portal Developer
Devon Portal Project
t: 01392 38 3683
f: 01392 38 2966