[Zope] Virtual Hosting configuration for Zope

Toby Dickenson tdickenson@geminidataloggers.com
Thu, 05 Apr 2001 08:56:26 +0100


On 22 Mar 2001 20:13:20 -0700, Bill Anderson <bill@libc.org> wrote:

(my appologies for the delayed reply)

>On 22 Mar 2001 16:17:24 +0000, Toby Dickenson wrote:
>> Is this for an intranet application or something exposed to the raw
>> internet?
>>=20
>> IMO ZServer's http implementation isnt sufficiently robust to be
>> exposed directly to untrusted clients.
>
>Upon what do you base this?

There are a number of obvious but minor vulnerabilities. Im sure they
are all fixable, but they contribute to giving me a sense of caution.

=46or example the medusa http server buffers incoming http headers in
memory using string concatenation, and does not place an upper limit
on the total size of headers. A malicious http request containing a
large number of headers is an effective denial-of-service attack;
consuming memory equal to the size of the headers sent, and O(n^2)
processor time (because of the concatenation)

[I hope this doesnt come across as FUD; this is the only aspect of
Zope security that causes me any concern, and the easy fix (use of a
front-end proxy) is recommended for other reasons too]


Toby Dickenson
tdickenson@geminidataloggers.com