www.oswg.org runs Zope?
So I was looking at the Open Source Writers' Group website today, www.oswg.org, and it seems to be Zope-powered. It's running on port 8080, adn none of its pages have extensions, which is something I usually only see in Zope sites. Another site to add to the Zope-Powered list? srl ---- Shane Renee Landrum slandrum<@>cs.smith.edu
http://www.oswg.org:8080/oswg/manage That is always a good test.. It is.. Squishdot. J
From: srl <slandrum@turing.csc.smith.edu> Date: Tue, 18 Apr 2000 17:22:35 -0400 (EDT) To: zope@zope.org Subject: [Zope] www.oswg.org runs Zope?
www.oswg.org
Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here? srl On Tue, 18 Apr 2000, J. Atwood wrote:
http://www.oswg.org:8080/oswg/manage
That is always a good test..
It is.. Squishdot.
J
From: srl <slandrum@turing.csc.smith.edu> Date: Tue, 18 Apr 2000 17:22:35 -0400 (EDT) To: zope@zope.org Subject: [Zope] www.oswg.org runs Zope?
www.oswg.org
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Shane Renee Landrum slandrum<@>cs.smith.edu ----"Some people enjoy the corporate life. Then again, some people enjoy nipple clamps." --- seen on an ad
On Wed, Apr 19, 2000 at 07:34:28AM -0400, srl wrote:
Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here?
Yes. If you are security-conscious you change the superuser account name and choose a very hard to guess password. -Petru
On Wed, 19 Apr 2000, Petru Paler wrote:
On Wed, Apr 19, 2000 at 07:34:28AM -0400, srl wrote:
Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here?
Yes. If you are security-conscious you change the superuser account name and choose a very hard to guess password.
okay, that means that instead of it taking N tries to hack a password, it takes N^2 tries. *shrug* a little better. is there a way to run all the /manage pages behind SSL, so they're less prone to password sniffing? or to rename /manage to something a little more obscure? it just seems to me that the /manage URLs are just waiting to be exploited by some cracker. srl, picking security nits ---- Shane Renee Landrum slandrum<@>cs.smith.edu
is there a way to run all the /manage pages behind SSL, so they're less prone to password sniffing? or to rename /manage to something a little more obscure? it just seems to me that the /manage URLs are just waiting to be exploited by some cracker.
There are a couple of different things that could make Zope a bit more secure. - Be able to disable the superuser account (or rename, erase it) - Change the port on which /manage runs (Web Admin does this very nicely) - Be able to lock it down by IP address (only certain IP addresses can access /manage) - SSL - Force strong passwords (10 chars at least 1 number, 1 cap, 1 symbol, now words) I know all of this is way on the back burner but it is something to consider. There also might be easy "Zopish" ways to do all of this. J
At 7:34 AM -0400 4/19/2000, srl wrote:
Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here?
To some degree yes. But no more than leaving the telnet, or FTP port open on a machine. If someone knows the username and password, they will get in. Since the superuser password is randomly generated (and it a pretty tough one) on each install as long as you don't change it to something wickedly stupid it should be fine. J
Hi, srl wrote:
Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here?
I nice way is to disable all /manage - URLs for all hosts then localhost. Then use port-forwarding over ssh for editing the pages. This is like ssl for the poors :-) Regards Tino Wildenhain
"J. Atwood" wrote:
http://www.oswg.org:8080/oswg/manage
That is always a good test..
telnet www.oswg.org 8080 Trying 216.208.98.3... Connected to oswg.org. Escape character is '^]'. HEAD / HTTP/1.1 Host: www.oswg.org:8080
HTTP/1.1 200 OK Server: Zope/Zope 2.1.3 (binary release, python 1.5.2, linux2-x86) ZServer/1.1b1 Date: Thu, 20 Apr 2000 12:49:44 GMT Ms-Author-Via: DAV Content-Type: application/octet-stream Connection: close Date: Thu, 20 Apr 2000 12:49:44 GMT Content-Length: 289 Last-Modified: Thu, 27 Jan 2000 17:34:14 GMT Connection closed by foreign host. is even better test :-) Regards Tino
participants (4)
-
J. Atwood -
Petru Paler -
srl -
Tino Wildenhain