[Zope-dev] How (in)secure is Zope?

Stuart Bishop zen@shangri-la.dropbear.id.au
Sun, 23 Mar 2003 12:12:54 +1100


On Thursday, March 13, 2003, at 11:54  AM, Christian Tismer wrote:

> Dear Zope community,
>
> please excuse my ignorance, but I am asked
> from time to time how secure or insecure
> Zope actually is, and I always have to say
> that I actually don't know.

 From a sysadmin's point of view, it is roughly
equivalent to Apache with CGI or PHP.

The major differences are:
	- Zope's authentication & authorization systems
		are implicit in everything you write. It is
		harder to write insecure code than in PHP
         or CGI.
	- Anyone with ability to create dynamic content
	  (dtml, python, zpt) can DOS your server.
	- You usually need to run Apache in front of
		Zope, which adds an additional attack point.

-- 
Stuart Bishop <zen@shangri-la.dropbear.id.au>
http://shangri-la.dropbear.id.au/