[Zope] fyi: apache + ssl + zope + zope management interface example

Jamie Heilman jamie@audible.transient.net
Fri, 28 Mar 2003 19:39:16 -0800


Ricardo Anguiano wrote:
> I am unclear on the problem.  I am not using a cache.

If you're not using a cache then you shouldn't be vulnerable.  I'd
suggest using a protective configuration regardless though.

> a cache, wouldn't the "tainted" URIs just fill my cache with garbage
> and degrade performance?

Well cache poisoning is a little bit more annoying than that--it would
allow an attacker to make your site look like trash for subsequent
visitors (or worse given the issues described in issue 813, but thats
a different bug).
 
> Can you describe a situation where the configuration is
> broken and allows plaintext transmissions?

If I can find a spot in the zope source where there exists a
management method that doesn't have the word 'manage' in it, yes.  I
don't know of one off the top of my head though.  I'm just saying that
assuming that all ttw methods contain 'manage' somewhere in them may
be a brash assumption. (Especially if you have 3rd party products
installed.)
 
> Do you have a pointer to an example?

Well, consider the follow apache configuration fragment:

# this vhost requires a valid client cert
SSLVerifyClient require
# ^/zope* is proxied to a local zserver
RewriteRule ^/zope(.*) http://127.0.0.1:8080/VirtualHostBase/https/example.com:443/VirtualHostRoot/_vh_zope$1 [P,L]
# ^/zope* is considered a protected realm, only clients who's DN
# appears in the 'passwd' file will be allowed entry, proxy requests
# sent to zserver will include an auth header constructed from the DN
# and the password 'password'
<Location "/zope">
 SSLOptions FakeBasicAuth
 AuthName "Zope Management"
 AuthType Basic
 AuthUserFile passwd
 require valid-user
</Location>

Now the obvious issue with this is that every user's password is
"password" and their username is their DN (which tends to be long and
look ugly in the ZMI, but thats just cosmetic).

I dunno, I may just ditch this line of thought entirely as I can't see
any way to make this a safe practice on a multiuser machine without
reverting to unix domain sockets, and that requires hacking the hell
out of mod_rewrite or possibly mod_proxy.  This probably just isn't
worth all the effort.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
                                                        -Frank Zappa