[Zope-dev] Cookies presented on management login

Chris McDonough chrism@zope.com
Thu, 09 Aug 2001 17:57:34 -0400 

> David Thibault wrote:
> 
> Hello all,
> 
> I'm new to this list (my first post).  I'm currently in a project for
> SANS certification in which I'm auditing Zope security.  I just

Cool!

> noticed that every time I log in I get a cookie from the server that
> has the following info:
> 
> Name:  tree-s
> Data: "eJzTiFZ3hANPW/VYHU0ALlYElA"
> 
> The data is ALWAYS the same.  I got the same cookie from a Redhat 7.1
> box runnning Zope 2.3.2 as I did from an NT box running Zope 2.4.0.
> What is this cookie used for in the management process?  I'm not at

To decide which leaves of the left-hand object tree to expand and which
to not expand.  It's not security-related, only functionality-related.

> all familiar with Zope's innards (but hopefully I'll get familiar with
> the security innards at least).  Also, trudging through all the source
> code to find the answer to this is not really a reality for me given
> the fact that my Python experience is not deep enough.
> 
> On a separate but related note, could anyone forward me links
> describing the security innards?  I am familiar enough with Zope to

The place to look first would be the security chapter of the Zope
developer's guide.  See
http://www.zope.org/Documentation/ZDG/Security.dtml .  Additionally,
there is good information by Dieter Maurer at
http://www.dieter.handshake.de/pyprojects/zope/book/chap3.html#c37ac15c15
.  I would be willing to help personally as well...

> know that only certain modules can be imported, etc.  However, I've
> had a really hard time finding anything more detailed than the
> security howtos that describe assigning permissions & such through the
> management interface.  All the security precautions that have been
> taken into account when developing the core of Zope are of interest to
> me.  Basically, the project is to hack zope before the hackers do.
> Hopefully, I won't find anything (or at least just little stuff like I
> mention in the next paragraph).  What I hope will result of this is a
> checklist that people can go through to harden their Zope boxes.

I hope you'll audit it good!  ;-)

> 
> Also, if this is the wrong list to be asking about the security
> features of the innards, please direct me to the appropriate place.  I
> hope to come up with a substantial review of Zope from a security
> standpoint.  I've already found a couple of things that could be done
> to help (small things), like editing the header lines in
> HTTPResponse.py to not give up the server version info in the HTTP
> headers.  Changing it to something like "Atari 2600 SuperServer" would
> at least keep the hackers from knowing you're running Zope 2.x.y and
> finding related vulnerabilities...=).

Yes, a list of this kind of stuff would be quite helpful!

BTW, I used to be an auditor for a computer security firm (named
Auditek) and your name looks awful familiar, probably from having read
Bugtraq and the like.  Welcome!

-- 
Chris McDonough                           Zope Corporation
http://www.zope.org                    http://www.zope.com

""" Killing hundreds of birds with thousands of stones """