[Zope] security issues

Ragnar Beer rbeer@uni-goettingen.de
Fri, 2 Jun 2000 22:34:22 +0200


>  > I will soon have a Zope-site ready to go online. How can I make shure
>  > that I did everything (concerning Zope) to stop intruders? Where can
>  > I find information about protecting a Zope-site? Has anyone had
>  > security problems so far?
>
>Easiest (most brutal?) fix I've found - hide Zope behind an Apache,
>and prohibit access to any URLs of the form .*/manage.*

This is what I'm doing at the moment (more or less) but your question 
made me think. Actually this is an example of "allow anything that 
isn't explicitly denied" which is not a very good policy if you want 
security. I remember (but - darn - can't remember where I have it) a 
posting that said that anyone can easily see the names of all objects 
in a folder which is nice intelligence gathering.
I guess it would be much better (and even more brutal;) to deny 
everything that isn't allowed explicitly. I'll try that later. I 
think I'll have to allow .*_html and .*_img for the http protocol 
plus all the .*/manage.* stuff for https and perhaps also make some 
(not so secure) restrictions based on ip adresses.

--Ragnar