Index: openacs-4/packages/acs-tcl/tcl/apm-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/apm-procs.tcl,v
diff -u -r1.87 -r1.87.2.1
--- openacs-4/packages/acs-tcl/tcl/apm-procs.tcl	31 Mar 2010 18:08:59 -0000	1.87
+++ openacs-4/packages/acs-tcl/tcl/apm-procs.tcl	11 May 2010 23:38:17 -0000	1.87.2.1
@@ -195,9 +195,30 @@
         switch $dependency_type {
             extends -
             "" { lappend apm_package_url_resolution [acs_root_dir]/packages/$package_key/www }
-            embeds { lappend apm_package_url_resolution \
-                          [list [acs_root_dir]/packages/$package_key/embed $package_key]
-                    }
+            embeds {
+
+               # Reference to an embedded package is through URLs relative to the embedding
+               # package's mount point, taking one  of the forms package-key,
+               # admin/package-key and sitewide-admin/package-key.  These map to package-key/embed,
+               # package-key/embed/admin, and package-key/embed/sitewide-admin respectively.
+
+               # We break references like package-key/admin because such references are unsafe,
+               # as the request processor will not perform the expected permission check.
+
+               lappend apm_package_url_resolution \
+                   [list [acs_root_dir]/packages/$package_key/embed/admin admin/$package_key]
+               lappend apm_package_url_resolution \
+                   [list "" $package_key/admin]
+
+               lappend apm_package_url_resolution \
+                   [list [acs_root_dir]/packages/$package_key/embed/sitewide-admin \
+                       sitewide-admin/$package_key]
+               lappend apm_package_url_resolution \
+                   [list "" $package_key/sitewide-admin]
+
+               lappend apm_package_url_resolution \
+                   [list [acs_root_dir]/packages/$package_key/embed $package_key]
+            }
             default {
                 error "apm_package_list_url_resolution: dependency type is $dependency_type"
             }
Index: openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl,v
diff -u -r1.102 -r1.102.2.1
--- openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	11 Mar 2010 11:03:01 -0000	1.102
+++ openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	11 May 2010 23:38:17 -0000	1.102.2.1
@@ -869,6 +869,12 @@
         set extra_url [ad_conn extra_url]
         if { $match_prefix ne "" } {
             if { [string first $match_prefix $extra_url] == 0 } {
+                # An empty root indicates we should reject the attempted reference.  This
+                # is used to block references to embeded package [sitewide-]admin pages that
+                # avoid the request processor permission check
+                if { $root eq "" } {
+                    break
+                }
                 set extra_url [string trimleft \
                     [string range $extra_url [string length $match_prefix] end] /]
             } else {