[Zope] defacement/crack statistics

Shane Hathaway shane@digicool.com
Mon, 04 Jun 2001 15:12:33 -0400


Andy McKay wrote:
> I believe this is the problem:
> 
> - we see a hotfix which fixes an obscure security problem in an unusual
> situation. Mostly related to allowing trusted users access to create stuff
> (a la Zope.org). Most sites do not do this and most security patches are of
> little importance.
> 
> - this hotfix gets reported on Zope.org and thanks to the wonders of
> syndication and RSS is reported on numerous sites. There was an old article
> on this (http://www.zopezen.org/SDot/983385083/index_html). Everyone thinks
> Zope is insecure and hence people see all these security patches with Zope
> in them and think its insecure.
> 
> Im not sure how to solve this or educate people.

DC has had a perception for some time that other Zope sites often allow
untrusted users to write scripts.  Over time it has come clear that this
is really not the case AFAICT.  But we treated any small exploit like a
big one, which seems unnecessary now.

The first security hole I found (which, incidentally, helped get me
hired :-) ) involved an intruder constructing a series of DTML methods
that could mimic the AUTHENTICATED_USER object, then replacing
AUTHENTICATED_USER with that object.  It gave the intruder full access,
yes, but the intruder had to have some privileges in the first place to
do it.  This was a big concern for zope.org and free Zope hosting
providers, but not sites like CBS NY which don't allow untrusted users
to create DTML.

I think the root of the problem is that we used to recommend people use
DTML documents to store content.  That meant that DTML documents had to
be bulletproof against attacks even by semi-trusted users.  They still
are, but today the story is that you should store content in the form
that best fits the type of content.  That means that content authors
aren't normally allowed to write complex scripts. For the most part,
they never wanted to in the first place!

I'd say Zope has a very good track record in the area of security.  DC
is just paranoid. :-)

Shane