[Zope] possible security flaw? - and, request for a phone conference.

Jon Franz jfranz@one.net
Wed, 7 Jun 2000 21:47:44 -0400


Hello, 
	First off, sorry for the cross-posting of this message to admin and
to
development.
   I'm a software developer for a major ISP in the Midwest region of the
USA.
Recently we began evaluating Zope for use in our web application
development,
internally and for our clients, and have been quite pleased with the wealth
of features and add-ons available*;  However, I need two points addressed if

possible:

1)  We are running Zope 2.1.4 mapped to the root of the apache install
on a Linux (mandrake 7.0) box, and have found a rather nasty security -
or at least, its what I'll call a nasty problem - because if you don't know
about it, it could really bite you in the butt.
	Basically, if a user with manager privileges to a folder changes
their
password to be empty, then anyone (from permitted domains) can access the
management screen for that folder Without Logging On... Zope assumes that
you are the user without the password and treats you as if you have those
rights.
	I found this problem when one day the welcome Zope page (default
from install) didn't prompt me for a password when I clicked to enter
the management screen.  I did not realize what had happened until I went
under the 'undo' tab and saw that all of my actions while I was snooping
around for the problem were being listed as being done by one of the
other developers... I went into the acl_users and fixed their password
and everything is back to normal.  I've tested this by setting my own
password to an empty string, and it lets me log in...
	From a security standpoint, It should probably prompt for a user
name and password, and simply accept a empty field for the password
As the password for that user...
	Anyway, my point is to either inform the community of the bug,
if it isn't known, or to find out if it is known and has been fixed
in the newest release...  If it has not been fixed in the newest release,
I will be glad to create and provide a patch...

2)  As an experienced web developer, I'm very keen on new technologies
that can be reused and make my life easier - thus Zope is a godsend.
	However, my management is hesitant to start using Zope on a regular
basis for our projects - they feel it is unproven and possibly unstable:
Now, I realize, and have informed them of the facts, that Digital Creations
makes their living off of Zope, and that new businesses are springing up
almost everyday that are Zope-centric, and that many contracting/development
firms are embracing it whole heartedly... But, my management is still
kind of hesitant.  
	Is there anyone among you in the community who would be willing to 
write about your experience with Zope in the professional development 
arena, to address their concerns?  Even better, Would anyone be willing to 
participate in a conference call q & A session on Zope's suitability for 
use in professional web development?  I cannot offer money for these, but 
I can promise my undying gratitude, and, I can promise that any and all 
add-ons and patches we create for Zope would be released back to the 
community at large... As a large website app dev firm, our contributions 
could be significant...
	Please email me privately if you wish to possibly participate in 
the phone conference.  
	Thank you for your time and attention!

* I have already made two modifications to the Zope source, one dealing with
making 'border' a built in property (and used during tag output) of the 
image object.  and another, simple hack to the basic dtml parsing routines
that makes your dtml development a little faster by requiring less typing.
Both of these will be available under my member area on Zope.org.  Hopefully
these will be the first of many patches and add-ons I get to contribute.