[Zope-dev] Cookies presented on management login

David Thibault dthibault@esperion.com
Thu, 9 Aug 2001 16:59:42 -0400


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C12116.364986F0
Content-Type: text/plain;
	charset="iso-8859-1"

Hello all,

I'm new to this list (my first post).  I'm currently in a project for SANS
certification in which I'm auditing Zope security.  I just noticed that
every time I log in I get a cookie from the server that has the following
info:

Name:  tree-s
Data: "eJzTiFZ3hANPW/VYHU0ALlYElA"

The data is ALWAYS the same.  I got the same cookie from a Redhat 7.1 box
runnning Zope 2.3.2 as I did from an NT box running Zope 2.4.0.  What is
this cookie used for in the management process?  I'm not at all familiar
with Zope's innards (but hopefully I'll get familiar with the security
innards at least).  Also, trudging through all the source code to find the
answer to this is not really a reality for me given the fact that my Python
experience is not deep enough.  

On a separate but related note, could anyone forward me links describing the
security innards?  I am familiar enough with Zope to know that only certain
modules can be imported, etc.  However, I've had a really hard time finding
anything more detailed than the security howtos that describe assigning
permissions & such through the management interface.  All the security
precautions that have been taken into account when developing the core of
Zope are of interest to me.  Basically, the project is to hack zope before
the hackers do.  Hopefully, I won't find anything (or at least just little
stuff like I mention in the next paragraph).  What I hope will result of
this is a checklist that people can go through to harden their Zope boxes.

Also, if this is the wrong list to be asking about the security features of
the innards, please direct me to the appropriate place.  I hope to come up
with a substantial review of Zope from a security standpoint.  I've already
found a couple of things that could be done to help (small things), like
editing the header lines in HTTPResponse.py to not give up the server
version info in the HTTP headers.  Changing it to something like "Atari 2600
SuperServer" would at least keep the hackers from knowing you're running
Zope 2.x.y and finding related vulnerabilities...=).

Thanks,
Dave Thibault


------_=_NextPart_001_01C12116.364986F0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>Cookies presented on management login</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2 FACE=3D"Arial">Hello all,</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I'm new to this list (my first =
post).&nbsp; I'm currently in a project for SANS certification in which =
I'm auditing Zope security.&nbsp; I just noticed that every time I log =
in I get a cookie from the server that has the following =
info:</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Name:&nbsp; tree-s</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Data: =
&quot;eJzTiFZ3hANPW/VYHU0ALlYElA&quot;</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">The data is ALWAYS the same.&nbsp; I =
got the same cookie from a Redhat 7.1 box runnning Zope 2.3.2 as I did =
from an NT box running Zope 2.4.0.&nbsp; What is this cookie used for =
in the management process?&nbsp; I'm not at all familiar with Zope's =
innards (but hopefully I'll get familiar with the security innards at =
least).&nbsp; Also, trudging through all the source code to find the =
answer to this is not really a reality for me given the fact that my =
Python experience is not deep enough.&nbsp; </FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">On a separate but related note, could =
anyone forward me links describing the security innards?&nbsp; I am =
familiar enough with Zope to know that only certain modules can be =
imported, etc.&nbsp; However, I've had a really hard time finding =
anything more detailed than the security howtos that describe assigning =
permissions &amp; such through the management interface.&nbsp; All the =
security precautions that have been taken into account when developing =
the core of Zope are of interest to me.&nbsp; Basically, the project is =
to hack zope before the hackers do.&nbsp; Hopefully, I won't find =
anything (or at least just little stuff like I mention in the next =
paragraph).&nbsp; What I hope will result of this is a checklist that =
people can go through to harden their Zope boxes.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Also, if this is the wrong list to be =
asking about the security features of the innards, please direct me to =
the appropriate place.&nbsp; I hope to come up with a substantial =
review of Zope from a security standpoint.&nbsp; I've already found a =
couple of things that could be done to help (small things), like =
editing the header lines in HTTPResponse.py to not give up the server =
version info in the HTTP headers.&nbsp; Changing it to something like =
&quot;Atari 2600 SuperServer&quot; would at least keep the hackers from =
knowing you're running Zope 2.x.y and finding related =
vulnerabilities...=3D).</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks,<BR>
Dave Thibault</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C12116.364986F0--