[Zope] Securing Zope

Robert Segall roseg at apsis.ch
Wed Sep 17 10:21:14 EDT 2003 

On Wednesday 17 September 2003 14:19, you wrote:
> Jamie Heilman wrote:
> > There was some recent interest in security issues with Zope
> > installations, so I just thought I'd announce that I'm now keeping a
> > public collection of notes about outstanding security problems at
> > http://audible.transient.net/zope/  Its not complete yet (only
> > addresses open collector issues currently), I'll probably be adding to
> > it for the next few days until it is (inasmuch as it can be just
> > representing my knowlegde on the subject).
>
> The acrimonious nature of your document means many people are unlikely to
> take it seriously and hardly anyone who _can_ fix the problems you half
> heartedly describe will want to put up with the verbal battering required
> to do so...
>
> Don't know if you actually "get" how open source works, which is a shame,
> given that you seem to have a good insight into a lot of these problems...
>
> Chris

Sorry Chris, but that is NOT how security works: you have to take seriously 
any issue, no matter how unpleasant the manner in which it was raised.

The issues raised by Jamie are legitimate, and they should be (eventually) 
dealt with. What the priority is I am not really sure - I doubt Zope will 
ever be a good idea in a truly high security environment. This is not a 
negative remark on the Zope development, but rather a reflection on any 
highly complex system.

Jamie's fixes are useful and should be considered by anybody who is really 
interested in these matters. Whether they are really vital is another 
question: some of the issues are not important in certain scenarios (small 
development team on single project may not care about about privilege 
escalation via ZMI, problems with the CGI are of no importance unless you use 
that mechanism), others can be dealt with by other mechanisms (proxy 
filtering). Yet some others are truly horrible and affect everybody (the idea 
of allowing XML-RPC on the HTTP port is about as bad as anything I have ever 
seen). All in all it is your decision what you want to do about them, but you 
should at least be aware of their existence; dismissing them because they 
were pointed out in an impolite manner is not the answer.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

More information about the Zope mailing list