There was some recent interest in security issues with Zope installations, so I just thought I'd announce that I'm now keeping a public collection of notes about outstanding security problems at http://audible.transient.net/zope/ Its not complete yet (only addresses open collector issues currently), I'll probably be adding to it for the next few days until it is (inasmuch as it can be just representing my knowlegde on the subject). -- Jamie Heilman http://audible.transient.net/~jamie/
Jamie Heilman wrote:
There was some recent interest in security issues with Zope installations, so I just thought I'd announce that I'm now keeping a public collection of notes about outstanding security problems at http://audible.transient.net/zope/ Its not complete yet (only addresses open collector issues currently), I'll probably be adding to it for the next few days until it is (inasmuch as it can be just representing my knowlegde on the subject).
The acrimonious nature of your document means many people are unlikely to take it seriously and hardly anyone who _can_ fix the problems you half heartedly describe will want to put up with the verbal battering required to do so... Don't know if you actually "get" how open source works, which is a shame, given that you seem to have a good insight into a lot of these problems... Chris
On Wednesday 17 September 2003 14:19, you wrote:
Jamie Heilman wrote:
There was some recent interest in security issues with Zope installations, so I just thought I'd announce that I'm now keeping a public collection of notes about outstanding security problems at http://audible.transient.net/zope/ Its not complete yet (only addresses open collector issues currently), I'll probably be adding to it for the next few days until it is (inasmuch as it can be just representing my knowlegde on the subject).
The acrimonious nature of your document means many people are unlikely to take it seriously and hardly anyone who _can_ fix the problems you half heartedly describe will want to put up with the verbal battering required to do so...
Don't know if you actually "get" how open source works, which is a shame, given that you seem to have a good insight into a lot of these problems...
Chris
Sorry Chris, but that is NOT how security works: you have to take seriously any issue, no matter how unpleasant the manner in which it was raised. The issues raised by Jamie are legitimate, and they should be (eventually) dealt with. What the priority is I am not really sure - I doubt Zope will ever be a good idea in a truly high security environment. This is not a negative remark on the Zope development, but rather a reflection on any highly complex system. Jamie's fixes are useful and should be considered by anybody who is really interested in these matters. Whether they are really vital is another question: some of the issues are not important in certain scenarios (small development team on single project may not care about about privilege escalation via ZMI, problems with the CGI are of no importance unless you use that mechanism), others can be dealt with by other mechanisms (proxy filtering). Yet some others are truly horrible and affect everybody (the idea of allowing XML-RPC on the HTTP port is about as bad as anything I have ever seen). All in all it is your decision what you want to do about them, but you should at least be aware of their existence; dismissing them because they were pointed out in an impolite manner is not the answer. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-1-920 4904
Chris Withers wrote:
The acrimonious nature of your document means many people are unlikely to take it seriously and hardly anyone who _can_ fix the problems you half heartedly describe will want to put up with the verbal battering required to do so...
We've been over this privately, now let it be shown on the public record that I am aware of your opinion, but that the venue you express it in makes no difference. Robert Segall wrote:
Jamie's fixes are useful and should be considered by anybody who is really interested in these matters. Whether they are really vital is another question: some of the issues are not important in certain scenarios (small development team on single project may not care about about privilege escalation via ZMI, problems with the CGI are of no importance unless you use that mechanism), others can be dealt with by other mechanisms (proxy filtering).
Yup, the only people who can answer the question of importance are the people using the software, because they're the only ones who know the behavior they require. The advantage of the community is we can share our knowledge of these problems, and the advantage of open source is that we can address the origin of the problems directly and at our leisure.
Yet some others are truly horrible and affect everybody (the idea of allowing XML-RPC on the HTTP port is about as bad as anything I have ever seen).
...and there ya go, a perfect example; I didn't find that issue threatening. I removed XML-RPC from my personal tree just because I didn't need it. -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer
Robert Segall wrote:
Sorry Chris, but that is NOT how security works: you have to take seriously any issue, no matter how unpleasant the manner in which it was raised.
Find the part where I mentioned security ;-)
The issues raised by Jamie are legitimate, and they should be (eventually) dealt with. What the priority is I am not really sure - I doubt Zope will ever be a good idea in a truly high security environment. This is not a negative remark on the Zope development, but rather a reflection on any highly complex system.
Indeed. My comment is aimed to drive home the point about open source. If you want to get stuff fixed, try and be nice about it, and be helpful. Then the people are more inclined to help, rather than just ignoring the issues as the vitriol of the terminally infantile... ...and, as you point out, ignoring real security issues is a "bad thing".
seen). All in all it is your decision what you want to do about them, but you should at least be aware of their existence; dismissing them because they were pointed out in an impolite manner is not the answer.
I certainly didn't dismiss them, I see them as serious problems, but I don't personally have the time/knowledge to fix them andthe style in which they are presented means those who do have the time/knowledge aren't likely to fix them... Chris
participants (3)
-
Chris Withers -
Jamie Heilman -
Robert Segall