[Zope-dev] Re: [Zope3-dev] How (in)secure is Zope?

2003-03-13 Thread Christian Tismer 
Tim Peters wrote:
[Christian Tismer]

...
I don't mean to offend anybody by this, it is just
a very simple question which I cannot answer alone.


There may be a simple question hiding in this, but it's hard to find wink.

You try:  how secure is sendmail?  how secure is ssh?  how secure is Python?
Answer those simple(?!) questions in the way you're looking for, and maybe
someone can do the same wrt Zope.  As is, you *appear* to be asking for a
one-word summary of an encyclopedia.  Big wink.
Hey, you're right.
Maybe, by simple question I meant short question,
not necessarily easy to answer at all. :-)
For the sysadmin's POV, I think it should be formulated
like:
If I install Zope, and I don't have the time to become
a Zope guru, what are the newly accumulated risks
for my system, if I use the default installation?
The biggest fear would probably be a number of known
exploits, and Joe Hacker just has to download some
of those tools, and the system is open.
It appears that at least *that* is not the case.
I think the answers given on the list were quite
useful, thanks to you all!
cheers - chris

p.s.: sendmail? ssh? Python?
Security exploits are discussed in the bugtraq list.
I can find them all in the list archive.
What about Zope? It is not in bugtraq.
--
Christian Tismer :^)   mailto:[EMAIL PROTECTED]
Mission Impossible 5oftware  : Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/
14109 Berlin : PGP key - http://wwwkeys.pgp.net/
work +49 30 89 09 53 34  home +49 30 802 86 56  pager +49 173 24 18 776
PGP 0x57F3BF04   9064 F4E1 D754 C2FF 1619  305B C09C 5A3B 57F3 BF04
 whom do you want to sponsor today?   http://www.stackless.com/
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: [Zope3-dev] How (in)secure is Zope?

2003-03-13 Thread Paul Winkler 
On Wed, Mar 12, 2003 at 09:39:02PM -0500, Tres Seaver wrote:
 Now let me describe another configuraton, running in production now for
 years (one process in the cluster had an uptime of 400 days at a recent
 hardware-induced reboot):
 
   - Two Zope application servers run behind a load balancer and an
 Apache proxy (non-caching), serving requests against data in a
 shared storage server.
 
   - The server permits through-the-web registration, with minimal
 identity check (only a valid e-mail address.  As of this writing,
 there are 18000+ user accounts.
 
   - Users of the site get a member folder where they can create
 templates, Python scripts, and content within the ZODB.  Some
 minimal workflow exists, controlling basically whether the user's
 content is included in site searches.

Hmmm, I wonder what this site is. ;-)

-- 

Paul Winkler
http://www.slinkp.com
Look! Up in the sky! It's GIRL ATHON!
(random hero from isometric.spaceninja.com)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] RE: [Zope3-dev] How (in)secure is Zope?

2003-03-13 Thread Tim Peters 
[Christian Tismer]
 ...
 p.s.: sendmail? ssh? Python?
 Security exploits are discussed in the bugtraq list.
 I can find them all in the list archive.
 What about Zope? It is not in bugtraq.

The obvious conclusion is that no security hole has ever been discovered in
Zope.  Whether that's a *correct* conclusion I take no position on, just
that it's the obvious conclusion wink.

 I think the answers given on the list were quite
 useful, thanks to you all!

You're welcome.  Don't forget that Zope's source is open, too:  lots of
eyeballs have scanned it, so the potentially dangerous modes of operation
seem well-known in the community.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: [Zope3-dev] How (in)secure is Zope?

2003-03-12 Thread Tres Seaver 
On Wed, 2003-03-12 at 19:54, Christian Tismer wrote:
 Dear Zope community,
 
 please excuse my ignorance, but I am asked
 from time to time how secure or insecure
 Zope actually is, and I always have to say
 that I actually don't know.
 
 There are people claiming that Zope opens a system
 to quite some level, others claim the opposite.
 
 Can someone please enlighten me and give me some
 details? Especially, are there some Zope products
 considered especially insecure?
 
 And, pondering more on security, are these issues,
 if they exist, bounded to Zope itself, or becomes
 a system generally more open to attacks, after
 Zope was installed?
 
 I don't mean to offend anybody by this, it is just
 a very simple question which I cannot answer alone.

I think the problem is that the question isn't really simple, because
the different configurations in which Zope is used vary so much.  For
instance, let me describe a configuration which is in production todday:

  - Zope is configured such that it listens for requests only on a
single, non-routed interface.

  - Public access is mediated by a caching reverse proxy.

  - The user and group as which Zope runs in this setup hass extremely
reduced privilegss:  it has read access to Python, the standard
Python libraries, the Zope sofware, and its configuration files;
it has write access only to the var directory in which it
keeps its database, PID, and log files.

  - Anonymous users in this Zope instance have only one permission,
which allows them to view published content.  They cannot create
objects in the ZODB at all.

  - Content managers never log into this Zope instance at all;  instead,
they use a separate instance, behind the company's firewall, with
an entirely different set of permissions;  yet, the content is
shared directly with the public site, via mounted storages.

In this scenario, the Zope process itself has a very small vulnerability
set:

  - The proxy shields Zope from most forms of DoS attacks (cleverly
constructed query strings might still be able to get through).

  - Because the Zope instance uses Python's string handling facilities,
it is not vulnerable to many of the buffer overflow attacks which
plague C-based daemons.

  - If a user could gain control of the Zope process, the only scope
for damage would be the ZODB itself.

Now let me describe another configuraton, running in production now for
years (one process in the cluster had an uptime of 400 days at a recent
hardware-induced reboot):

  - Two Zope application servers run behind a load balancer and an
Apache proxy (non-caching), serving requests against data in a
shared storage server.

  - The server permits through-the-web registration, with minimal
identity check (only a valid e-mail address.  As of this writing,
there are 18000+ user accounts.

  - Users of the site get a member folder where they can create
templates, Python scripts, and content within the ZODB.  Some
minimal workflow exists, controlling basically whether the user's
content is included in site searches.

This configuration is perhaps the most vulnerable I can think of: 
nearly-anonymous users can create applications, using as much of Python
as the through-the-web Python scripts allow.  Yet, in the years this
site has been running, it has suffered from only mild forms of abuse:

  - Malice-free templating triggered DoS-like bursts of activity
(looping, or pathologically-nested acquisition).

  - Warez r00erz were using the site to serve ripped-off tarballs,
before the site added upload filters which made the practice
unprofitable. 

  - Some users used the templating features to construct sub-sites which
violated the terms of use for their accounts, which were eventually
terminated.

  - Occasionally, the site sees bursts of DoS-like activity (which may
be malicious, or may simply be incompetently-written spiders).  The
normal defense to such attacks is to block packets from their IPs
(or ranges) at the border router.

How could such a site not have been wrecked?  I can offer a couple of
hypotheses:

  - Trashing it hasn't been attractive enough to sufficiently determined
blackhats.

  - Zope's restrictions on through-the-web code are mostly successful:
in particular, such code can see only white-listed library
modules, and has limited access to attributes and methods of objects
in the object database.

 thanks so much in advance -- chris

There *are* add-on products which can potentially increase the
vulnerability of a Zope application, by expanding access to the kinds of
modules which allow an attacker to springboard from Zope (Python's
urllib, os, etc.).

Zope has issued a number of security advisories, accompanied by
installable hot-fix products:

  http://www.zope.org/Products/Zope/hotfixes

Note that almost all of these advisories relate to issues with through-
the-web

[Zope-dev] RE: [Zope3-dev] How (in)secure is Zope?

2003-03-12 Thread Tim Peters 
[Christian Tismer]
 ...
 I don't mean to offend anybody by this, it is just
 a very simple question which I cannot answer alone.

There may be a simple question hiding in this, but it's hard to find wink.

You try:  how secure is sendmail?  how secure is ssh?  how secure is Python?
Answer those simple(?!) questions in the way you're looking for, and maybe
someone can do the same wrt Zope.  As is, you *appear* to be asking for a
one-word summary of an encyclopedia.  Big wink.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )