[Zope] Major security flaw in Zope 2.3.2

Jerome Alet alet@unice.fr
Wed, 6 Jun 2001 19:41:13 +0200


On Wed, Jun 06, 2001 at 03:34:10PM +0200, Joachim Werner wrote:
> 
> > if Data.fs is owned by nobody.nogroup, Apache is installed on the same
> > machine, and the user can run his own cgi-scripts (most ISPs I suppose),
> then
> > by default the user's CGI scripts will run as nobody too, allowing him
> > to read Data.fs during his own CGI execution, and copy it wherever he
> wants
> > during this time.
> 
> This is indeed the only really frightening scenario. Finally a reason to not
> use "nobody" but a dedicated Zope user to run a Zope instance ;-)
> 
> > Solutions:
> >
> > * make Data.fs and Data.fs.old only readable by a user every
> >           other user on the system can't run commands as.
> 
> yep
> 
> > * But the best to do is:
> >
> > Encrypt all passwords in the ZODB.
> 
> And then I copy the Data.fs to a new Zope, create a superuser and walk in
> ... Or did I miss something?

Yes: you miss that after having "walked" into your own copy of a stealed Data.fs, you
know all the password which will allow you to deface the original site putting there
your own index_html saying "nice" things about you on the frontpage...

> First of all, I don't think the password issue really IS an issue. I mean,
> as soon as I have read access to an Apache's data directory, I also can copy
> it. You just should not be able to come that far ...

Yes, you can copy it, but not modify it, see above.

However this is just a matter of "the good way to do it", and "the good way to do it" regarding
passwords storing is to store them in an encrypted form.

bye,

Jerome Alet