[Zope] - ZServer

Amos Latteier amos@aracnet.com
Tue, 26 Jan 1999 12:57:23 -0800


At 02:56 PM 1/26/99 -0500, Michel Pelletier wrote:
>I noticed that when you FTP into ZServer it doesn't matter
>what userid or password you use, it allways says 'Login Successful'.
>Of course, your not authorized to see anything but your still
>logged in and there is still an open Medusa channel.  Couldn't this
>be a hole into a possible Denial of Service attack?

Sounds like it. We need to think carefully about how to limit FTP access.

It's hard to differentiate between anonymous and non-anonymous users,
because authorization is defined on a per-directory basis. So basically how
things work now, you must 'cd' to a directory where your userid is defined
before you can do much. This means you can't easily evaluate the validity
of a user at login time. So it's hard to do things like limit the number of
concurrent anonymous FTP logins.

One partial solution would be to limit the total number of FTP connections,
though annoying people could simply fill all those, and prevent anyone else
from getting through. On the upside, the HTTP sever would still work fine.

Another solution would be to limit FTP access to users defined in the
top-level Folder. Or maybe limit the number of connections from users not
defined in the top-level Folder.

These issues deserve serious thought.

-Amos