[Zope] security hole
Dylan Reinhardt
zope@dylanreinhardt.com
27 Mar 2003 21:25:14 -0800
On Fri, 2003-03-28 at 01:13, Stephan Goeldi wrote:
> accessing a zope site with nautilus can show you the whole structure: folders,
> methods and documents. On some sites you see the source of index_html. I
> didn't figure out, what makes the difference.
>
Zope has a very solid security apparatus, but the default configuration
is *not* the most secure one available.
You've discovered one way in which this is the case: By default, Zope
servers will disclose detailed information about server setup to WebDAV.
If you are concerned that this isn't a great way to manage your server,
(IMO, it's not) you should configure accordingly. Open up the
permissions for the root object and de-select the box that grants WebDAV
Access privileges to Anonymous. If you've set everything else to
inherit this permission, that setting will cascade down your whole
server. If not, rinse and repeat.
Managing security is a process of balancing convenience against
paranoia. By default Zope errs a bit on the side of convenience... a
common balance point. The Zope admin's job is to understand these
choices and make them differently as requirements dictate.
HTH,
Dylan