[Zope-dev] How (in)secure is Zope?

Jamie Heilman jamie@audible.transient.net
Wed, 12 Mar 2003 17:58:27 -0800


Christian Tismer wrote:
> please excuse my ignorance, but I am asked from time to time how
> secure or insecure Zope actually is, and I always have to say that I
> actually don't know.

Thats a good answer.  Another one you might consider is, "2 liters"
because there is no simple answer to that question.
 
> There are people claiming that Zope opens a system to quite some
> level, others claim the opposite.

Ideally, Zope only opens the system to the extent the system
administator allows it to.  Resource limits, chroot jails, and so
forth, are effective ways to de-fang many of the avenues available to
zope users with the ability to instantiate dtml, script, and other
such objects.  Zope's ACLs also help an admin carve up their users
into realms of trust.

> Can someone please enlighten me and give me some details?
> Especially, are there some Zope products considered especially
> "insecure"?  And, pondering more on security, are these issues, if
> they exist, bounded to Zope itself, or becomes a system generally
> more "open" to attacks, after Zope was installed?

Generally, the more software you install, the more open to attack you
are.  If you don't need it, don't run it, and don't install it.  Some
Zope products may open up more avenues of exploit than others, thats
why the admin should audit them before installing.
 
> I don't mean to offend anybody by this, it is just a very simple
> question which I cannot answer alone.

No, its not a very simple question.  If Zope was a small program with
a single clear purpose, it might be.  But Zope is a large framework
with a multitude of directions.  (A small program with a single clear
purpose can not do what Zope does; let it be known I'm not suggesting
Zope should be somehow packed into a small program with a single clear
purpose.  Broken up into several... perhaps, but thats a different
thread.)

Outside of the ideal world, unless extreme care is taken, software
tends to have flaws with security ramifications.  Last time I counted
(March 1st.) there were 16 unaddressed issues in the Zope bug
collector that had been marked as having security ramifications.  Two
of them are mine, and thus I feel confident in saying Zope is not as
secure as it should or could be, but that if nothing else, the
maintainers have been made aware of these shortcomings and that one
can assume (if they should or not is a different matter) the issues
will be taken care of.

I will go on record as saying that, recently, response times to
security related issues in the Zope2 tree have been disapointing.
Construe from that what you will.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
 next to you may not be who they appear to be, so take precaution."
						-Sathington Willoughby