On Thursday, March 13, 2003, at 11:54 AM, Christian Tismer wrote:
Dear Zope community,
please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know.
From a sysadmin's point of view, it is roughly equivalent to Apache with CGI or PHP. The major differences are: - Zope's authentication & authorization systems are implicit in everything you write. It is harder to write insecure code than in PHP or CGI. - Anyone with ability to create dynamic content (dtml, python, zpt) can DOS your server. - You usually need to run Apache in front of Zope, which adds an additional attack point. -- Stuart Bishop <zen@shangri-la.dropbear.id.au> http://shangri-la.dropbear.id.au/