Re: [Zope] Zope Security Problem
-----Original Message----- From: Martijn Pieters <mj@antraciet.nl> To: Andreas Kostyrka <andreas@mtg.co.at>; Alexander Staubo <alex@mop.no> Cc: Zope Mailing List (E-mail) <zope@zope.org> Date: Sunday, August 29, 1999 4:15 PM Subject: RE: [Zope] <code> tag?
At 18:58 29-8-99 , Andreas Kostyrka wrote:
On Sun, 29 Aug 1999, Alexander Staubo wrote:
It only works when explicitly requesting a document by its name. So:
http://www.mtg.co.at/PrincipiaSearchSource
won't work, whereas:
http://www.mtg.co.at/index_html/PrincipiaSearchSource
will get you the DTML source. Confirmed. That's what one calls a security misfeature?
Being able to view a sites source code might reveal shortcomings in it that can be used to gain further access to your site. It might be that Zope has vulnerabilities as yet undiscovered. When thinking in terms of security, expect the worst.
I agree that there may be further security implications. Plus, not *everything* in the world is open source. I'm of the opinion that people should choose what is open and what is not...
Okay, how about the source of your Z SQL Methods: Add getFindContent to the URL of a ZSQL Method, and you get the source, and this cannot be
restrictable.
If Zope wants to claim that it is secure, you should be able to protect your site's source code.
So, anyone can look at the content of a Z SQL Method or a DTML Method (and maybe document). Is it possible to look at any arbitrary property? I've been working under the assumption that there was no way for someone to view a property unless you give them access via a method or the management screens... Kevin
Kevin Dangoor wrote:
So, anyone can look at the content of a Z SQL Method or a DTML Method (and maybe document). Is it possible to look at any arbitrary property? I've been working under the assumption that there was no way for someone to view a property unless you give them access via a method or the management screens...
I don't think you have to worry about this - I have no doubt that DC will provide a fix in the next release, maybe even tommorow in CVS when they come back to work. Right? ;) -- Itamar - itamars@ibm.net ---------------------------o----------------------------------------------o Perl/Gimp Greeting Cards | Trust? Ha! The US dollar is backed by ICBMs! | http://www.sealingwax.com | --Anonymous Coward, Slashdot |
At 22:27 29/08/99 , Kevin Dangoor wrote:
So, anyone can look at the content of a Z SQL Method or a DTML Method (and maybe document). Is it possible to look at any arbitrary property? I've been working under the assumption that there was no way for someone to view a property unless you give them access via a method or the management screens...
As I understand it, properties are not objects, and are therefor not traversable with URLs. They can only be referenced from within Zope, so they are, as far as I can see, safe. REQUEST for example is an object, so you can access it: http://www.zope.org/REQUEST Zope 2.0 gives you a nicer format: http://www.zope.org:18200/REQUEST This is very handy for debugging purposes. RESPONSE has not been yet created at the time of traversal, so that will give a not found error. -- Martijn Pieters, Web Developer | Antraciet http://www.antraciet.nl | Tel: +31-35-7502100 Fax: +31-35-7502111 | mailto:mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ------------------------------------------
participants (3)
-
Itamar Shtull-Trauring -
Kevin Dangoor -
Martijn Pieters