[Zope] Zope and security.

Otto Hammersmith otto@ipass.net
Wed, 10 Nov 1999 01:46:13 -0500


For a couple weeks now I've been wondering about Zope's security
vulnerabilities.  Recently I've gotten rather alarmed. While poking
around the zGold site, I've come across some rather surprising things.
In particular, access to the SQL database doesn't seem to be controlled
at all... I was able to snag clear text passwords rather easily. (I hope
no one is using an important password for that site... surprisingly only
three users have 'password'. :)

Presumably this is a server configuration issue, as Zope.org doesn't
have the obvious hole that zGold does.

So, my question is, does there exist a laundry list of common Zope
misconfigurations?  Does there need to be one (Zope.org tips)? The
solution is rather obvious (settings on the security tab for the folder)
but how do new users know to catch that kind of thing?

			-Otto.