For a couple weeks now I've been wondering about Zope's security vulnerabilities. Recently I've gotten rather alarmed. While poking around the zGold site, I've come across some rather surprising things. In particular, access to the SQL database doesn't seem to be controlled at all... I was able to snag clear text passwords rather easily. (I hope no one is using an important password for that site... surprisingly only three users have 'password'. :) Presumably this is a server configuration issue, as Zope.org doesn't have the obvious hole that zGold does. So, my question is, does there exist a laundry list of common Zope misconfigurations? Does there need to be one (Zope.org tips)? The solution is rather obvious (settings on the security tab for the folder) but how do new users know to catch that kind of thing? -Otto.
On Wed, 10 Nov 1999, Otto Hammersmith wrote:
So, my question is, does there exist a laundry list of common Zope misconfigurations? Does there need to be one (Zope.org tips)? The solution is rather obvious (settings on the security tab for the folder) but how do new users know to catch that kind of thing?
Sounds like a perfect fit for a tip to me. I was considering documenting a 'secure' zope site how-to when I get to that stage of my development (which involves me learning more) - at the moment I'm the only user on my server, but security is always in my design criteria as I'm solely concerned with developing a secured Intranet (eek! I used a marketing term!). If someone has already created such a checklist and allowed to share it, I would be interested in seeing it and it will probably end up in a how-to. Hmm.... I see the need for a 'SecurityReport' Product - a document that scans the permissions on the current folder down and displays a tree detailing who has what rights. ___ // Zen (alias Stuart Bishop) Work: zen@cs.rmit.edu.au // E N Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au //__ Computer Science, RMIT WWW: http://www.cs.rmit.edu.au/~zen
Stuart 'Zen' Bishop wrote:
On Wed, 10 Nov 1999, Otto Hammersmith wrote:
So, my question is, does there exist a laundry list of common Zope misconfigurations? Does there need to be one (Zope.org tips)? The solution is rather obvious (settings on the security tab for the folder) but how do new users know to catch that kind of thing?
Sounds like a perfect fit for a tip to me.
Wrote one, it's at http://www.zope.org/Members/otto/zsqlmethods.
I was considering documenting a 'secure' zope site how-to when I get to that stage of my development (which involves me learning more) - at the moment I'm the only user on my server, but security is always in my design criteria as I'm solely concerned with developing a secured Intranet (eek! I used a marketing term!). If someone has already created such a checklist and allowed to share it, I would be interested in seeing it and it will probably end up in a how-to.
Under the assumption that someone hasn't, I suggest anyone with security tips do as this tip suggests, http://www.zope.org/Members/otto/firstsecurity. That has a query link that should generate a list of all the security tips on Zope.org... as soon as my first two get cataloged. :) I also just added a News item.
Hmm.... I see the need for a 'SecurityReport' Product - a document that scans the permissions on the current folder down and displays a tree detailing who has what rights.
Hm, Z Satan. :) That would be neat, though... -Otto.
While I'm on the topic... It seems to me you cannot securely allow users access to the "Security" tab in the management interface. It's easy enough to shut this off, but that does take away an awful lot of functionality. Is this an intended design, or is it a flaw in the Zope security model? Perhaps the best way to setup something like Zope.org (multiple contributors) in a secure maner is to roll your own Folder object with a specified set of sub-objects. Tedious, but secure. :-S -Otto.
participants (2)
-
Otto Hammersmith -
Stuart 'Zen' Bishop