RE: [Zope] www.oswg.org runs Zope?
hi shane, what you're "missing" is the fact that the superuser's name and password are not hardcoded. it's your responsibility to use the zpasswd.py utility in your zope root directory to change the name and password to something hard to guess. but even if you do not change it, the passwords generated during a zope install are random and not guessable. concerning the fact that the "manage" suffix to an address is hardcoded, there's always the possibility for those who run apache in front of zope to write a rewrite rule which shuts out direct access to anything like http://myurl/myfile/manage and a second one that maps any chosen expression to the underlying zope "manage" pages, like http://myurl/myfile/niceweathertoday . jens ---- Jens Vagelpohl jens@digicool.com Software Engineer www.digicool.com Digital Creations (888) 344-4332 Got Zope? ---- -----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of srl Sent: Wednesday, April 19, 2000 07:34 To: J. Atwood Cc: srl; zope@zope.org Subject: Re: [Zope] www.oswg.org runs Zope? Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here? srl On Tue, 18 Apr 2000, J. Atwood wrote:
http://www.oswg.org:8080/oswg/manage
That is always a good test..
It is.. Squishdot.
J
From: srl <slandrum@turing.csc.smith.edu> Date: Tue, 18 Apr 2000 17:22:35 -0400 (EDT) To: zope@zope.org Subject: [Zope] www.oswg.org runs Zope?
www.oswg.org
_______________________________________________
Shane Renee Landrum slandrum<@>cs.smith.edu ----"Some people enjoy the corporate life. Then again, some people enjoy nipple clamps." --- seen on an ad
concerning the fact that the "manage" suffix to an address is hardcoded, there's always the possibility for those who run apache in front of zope to write a rewrite rule
That's a hackers solution. 1. Zope should integrate SSL. 2. All protected pages should be delivered only through SSL by default. 3. A fallback to use management and protected pages without SSL should be there, but it has to be enabled by hand. That would eliminiate many risks with little effort for non hackers. Regards, Frank
1. Zope should integrate SSL. 2. All protected pages should be delivered only through SSL by default. 3. A fallback to use management and protected pages without SSL should be there, but it has to be enabled by hand.
Sounds cool... Now write it and I'm sure DC will be happy to integrate it into the code ;-) Chris
1. Zope should integrate SSL. 2. All protected pages should be delivered only through SSL by default. 3. A fallback to use management and protected pages without SSL should be there, but it has to be enabled by hand.
That would eliminiate many risks with little effort for non hackers.
Having "native" SSL support in Zope surely would be a GOOD THING (tm). It just doesn't seem to be a very popular idea. I remember some previous threads about it on this list ... But SSL wouldn't help with the password issue! Getting into an SSL-secured page by guessing the password isn't any harder than without SSL. The only advantage is that the password cannot be "sniffed", only guessed. If you want real security for a site that is in the public internet, I don't think there is an easy solution. The only things that come to my mind are "one-time" passwords sent to the user via a secure connection or generated by password generators and smart cards with public/private key technology. But that's a general issue, not a specific Zope problem.
But SSL wouldn't help with the password issue! That is another topic. If passwords are used (that's the current situation) encryption of the transmission eliminates one weakness of the system. Every eliminated weakness is a good thing.
Regards, Frank
On Wed, 19 Apr 2000, Joachim Werner wrote:
Having "native" SSL support in Zope surely would be a GOOD THING (tm). It just doesn't seem to be a very popular idea. I remember some previous threads about it on this list ...
But SSL wouldn't help with the password issue! Getting into an SSL-secured page by guessing the password isn't any harder than without SSL. The only advantage is that the password cannot be "sniffed", only guessed.
IMO that's a significant advantage for the paranoid---- if you're across the country in a hotel room editing your Zope site, and some script kiddie is running a sniffer on that hotel's network, well, the kiddie just got your password. If you were editing your site by using SSH to a straight-HTML server, the kiddie wouldn't get your password. If you were editing a Zope page that's running inside SSL, the kiddie wouldn't get your password. With a brute-force attack, your logs would at least show that someone was trying to crack a privileged account. If some script kiddie attaks your Zope site with a password gotten through a sniffer, you see one login, that's it, and your homepage now says, "I 4M 3733T, PH34R M3." But then again, this is why to back up Data.fs. srl
On Wed, Apr 19, 2000 at 03:18:11PM +0200, Joachim Werner wrote:
Having "native" SSL support in Zope surely would be a GOOD THING (tm).
It has been done, by yours truly, and is known as ZServerSSL. See http://www.post1.com/home/ngps/m2.
But SSL wouldn't help with the password issue! Getting into an SSL-secured page by guessing the password isn't any harder than without SSL. The only advantage is that the password cannot be "sniffed", only guessed.
I have thought about (and mentioned ;-) a certUserFolder which accepts authentication via X.509 certificates. Still thinking, no code yet. -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps
It has been done, by yours truly, and is known as ZServerSSL. See http://www.post1.com/home/ngps/m2.
What does this actually do? Does it replace parts of the Zope install? Does it simply add another server to Zope (which would be cool, it's getting quite a collection ;-) http, ftp, xml-rpc...) Is there any chance you could feed it to DC so they can get it into Zope 2.2 or something? cheers, Chris
It has been done, by yours truly, and is known as ZServerSSL. See http://www.post1.com/home/ngps/m2.
What does this actually do? Does it replace parts of the Zope install? Does it simply add another server to Zope (which would be cool, it's getting quite a collection ;-) http, ftp, xml-rpc...)
Is there any chance you could feed it to DC so they can get it into Zope 2.2 or something?
cheers,
Chris
But note that Python 1.6 is going to support SSL. See http://www.python.org/1.6/ which says under the heading Module Changes: "socket, httplib, urllib - optional OpenSSL support". But I haven't looked below the surface of this statement. ------------------------------------------------------------------ Richard Barrett, PostPoint 27, e-mail:r.barrett@ftel.co.uk Fujitsu Telecommunications Europe Ltd, tel: (44) 121 717 6337 Solihull Parkway, Birmingham Business Park, B37 7YU, England "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well armed lamb contesting the vote." Benjamin Franklin, 1759 ------------------------------------------------------------------
On Wed, Apr 19, 2000 at 05:04:00PM +0100, Chris Withers wrote:
It has been done, by yours truly, and is known as ZServerSSL. See http://www.post1.com/home/ngps/m2.
What does this actually do? Does it replace parts of the Zope install? Does it simply add another server to Zope (which would be cool, it's getting quite a collection ;-) http, ftp, xml-rpc...)
ZServerSSL provides a HTTPS server, based on the ZServer's HTTP server. All the HTTP heavy lifting is still done by ZServer; ZServerSSL simply makes it work over SSL, i.e., HTTPS.
Is there any chance you could feed it to DC so they can get it into Zope 2.2 or something?
M2Crypto, the SSL plumbing for ZServerSSL, is released under a BSD/Python-ish license. ZServerSSL is under the ZPL. If DC is interested, I will be happy to assist. Cheers. -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps
Hi! It is amazing how many people believe that SSL (and other technical solutions) can bring security "by default"! People - that is the weakiest point in security, and installing SSL would not make them much more secure. Even worse - notion of SSL can make people feel "more secure" without deep investigation and learning; that's is worse than no security at all! On Wed, 19 Apr 2000, Frank Tegtmeyer wrote:
1. Zope should integrate SSL. 2. All protected pages should be delivered only through SSL by default. 3. A fallback to use management and protected pages without SSL should be there, but it has to be enabled by hand.
Oleg. (All opinions are mine and not of my employer) ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
participants (8)
-
Chris Withers -
Frank Tegtmeyer -
Jens Vagelpohl -
Joachim Werner -
Ng Pheng Siong -
Oleg Broytmann -
Richard Barrett -
srl