[Zope] Security question w/ PCGI
Thaxter, Jason M.
Jason.M.Thaxter@abc.com
Mon, 30 Aug 1999 13:16:57 -0400
I suppose this concerns Apache more than Zope, but it might be a little
cleaner to put the PCGI wrapper into its own sub-directory...
Has anyone given thought to security questions arising from using Zope.cgi?
I had to add
<Directory "/path/to/Zope2">
Options ExecCGI
</Directory>
This makes me wonder if there might be some way to trick apache into trying
to execute any of the other files in this directory (to my knowledge, not
possible). The rewrite rule should prevent this, though I'm not entirely
comfortable with this, since it depends on zope being up and running.
Having only *.cgi files is nice, although a trojan file could be introduced
if the administrator is a little careless (since zope's install leaves it to
the user to correct permissions). But if you use
-DSECURITY_HOLE_PASS_AUTHENTICATION instead of the rewrite rule, you have to
move things around...
My $0.02: it might make sense to move Zope.cgi to a subdir by default, if
only to lessen the likelihood of security holes appearing...