[Zope] Zope Security

Chris McDonough chrism@digicool.com
Tue, 15 May 2001 10:46:25 -0400


Many (most?) of the hotfixes have to do with fixing security holes which are
a problem if and only if you allow untrusted (or semitrusted users) to write
DTML/Python on your website via the through-the-web interface.

If you don't allow this (most people don't... most people can't even
conceive of it, because they have no concept that it can actually be done,
and no other platforms provide for such a feature), the number of Zope
security-related problems over the last few years goes down considerably.  I
count six (out of a total of 11) of them that are *not* related to
through-the-web scripting since last June, one of which doesn't allow for
meaningful elevation of privilege in any way.  This leaves five "critical"
security-related bugs in a year, all of which have fixes.

Consider also that Zope contains a webserver, a database, its own templating
language, and its own search engine.  Advise your admin to check the number
of combined security reports for Apache, MySQL, embperl, and HTdig for the
last year, and compare them against the number reported and fixed in Zope.
I'd imagine they're comparable.

- C


----- Original Message -----
From: "Alastair Burt" <burt@dfki.de>
To: <zope@zope.org>
Sent: Tuesday, May 15, 2001 10:15 AM
Subject: [Zope] Zope Security


> I am getting aggravation from our sysadmin, who is reluctant to poke holes
> in our new firewall for my Zope ports.  He claims he knows of no software
> in the last few years that has so many security holes.  Is there anything
> to justify this claim?  I know there are an alarmingly large number of
Zope
> hotfixes on the security mailing lists and that login passwords get sent
in
> the clear, when not using ssl.  On the other hand, I know of no attempt to
> hack a Zope site.
>
> --- Alastair
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>