[Zope-dev] How (in)secure is Zope?
Stuart Bishop
zen@shangri-la.dropbear.id.au
Sun, 23 Mar 2003 12:12:54 +1100
On Thursday, March 13, 2003, at 11:54 AM, Christian Tismer wrote:
> Dear Zope community,
>
> please excuse my ignorance, but I am asked
> from time to time how secure or insecure
> Zope actually is, and I always have to say
> that I actually don't know.
From a sysadmin's point of view, it is roughly
equivalent to Apache with CGI or PHP.
The major differences are:
- Zope's authentication & authorization systems
are implicit in everything you write. It is
harder to write insecure code than in PHP
or CGI.
- Anyone with ability to create dynamic content
(dtml, python, zpt) can DOS your server.
- You usually need to run Apache in front of
Zope, which adds an additional attack point.
--
Stuart Bishop <zen@shangri-la.dropbear.id.au>
http://shangri-la.dropbear.id.au/