Dear Zope community,
please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know.
There are people claiming that Zope opens a system to quite some level, others claim the opposite.
Can someone please enlighten me and give me some details? Especially, are there some Zope products considered especially "insecure"?
And, pondering more on security, are these issues, if they exist, bounded to Zope itself, or becomes a system generally more "open" to attacks, after Zope was installed?
I don't mean to offend anybody by this, it is just a very simple question which I cannot answer alone.
thanks so much in advance -- chris
I think to be fair here we should compare Zope's security to the security of other similar tools, not only point out that there still are issues in Zope.
It is extremely difficult to write secure web software that is at the same time highly interactive. If you want people to be able to do a lot with your system you will also have to open it up to some degree.
My basic oppinion is that Zope is one of the most secure solutions for dynamic web applications.
Some of the issues that have not been talked about in the previous postings:
- Products that let you access the file system:
There is a number of products (like LocalFS) that let you access the file system directly. While this is not always a problem one has to be extremely careful with those because they circumvent Zope's access limitations to the file system. Of course you are still restricted to the user Zope is running at ...
- Products or methods that can use up a lot of resources:
I can think of a couple of ways of using up most of the resources on a Zope system:
- Using PIL (Python Imaging Library) without care: Let's say you offer an automatic image scaling tool to your users that can be called via a URL. Then it is relatively easy for an attacker to let PIL create huge images that might take several seconds to render and use up tens of megabytes of RAM. Doing this in a massive way will bring the server to a halt. There are similar exploits using other resource- intensive software, so this is just an example.
Note that this is not a Zope design flaw, but a potential danger when being too careless in extending Zope.
- Uploading huge files: This can effectively be handled by a proxy server (Apache can also limit most other DOS-related parameters quite efficiently)
- Doing things that are perfectly allowed too frequently, like hammering the over-the-web registration tool with a robot: This has to be taken care of by the programmer. I'd guess that most of the servers out there (Zope or non-Zope) are not perfect in that respect. Again, Apache might help here.
- Writing malicious code that "loops forever" etc. This is a part where Zope's security works quite well, but it is not perfect. There are no "infinite" loops or recursions because you'll eventually get stopped by Zope or Python. But I remember that I was able to write a three-liner in a (Script) Python that had a flaw and caused an enormous system load before it was terminated. The only way to stop this is careful coding. In a very public environment I'd limit the scripting available to site visitors to very simple tools like structured text. As soons as somebody untrusted can write code there is no way of preventing DOS-type attacks. Powerful tools are powerful. It's like guns: They can not be built to only kill the bad guys ...
- Cross-scripting issues:
I guess that some of those are still in the Zope Management Interface (which is not meant to be used by untrusted users in most cases), but Zope offers a lot of tools to make sure that it is hard to post malicious code in forums, attack Zope via URLs etc.
For example there are quoting mechanisms in place, either automatic or easily applicable, that can be used to protect SQL strings, URLs, and text that is displayed on the site. The majority of exploits in PHP- or Perl-based solutions is in this domain.
It is safe to say Zope is more secure than most other web application servers (protection against buffer overflows, limited access to the system's resources, very limited file system access, quoting mechanisms, secure SQL database access, very sophisticated internal security model), but Zope is not a firewall. If you don't take care there is some chance of DOS attacks. On the other hand I am quite positive that Zope is very secure in terms of preventing unauthorized access to the system (root exploits etc.).
Wittelsbacherstr. 23b 90475 Nürnberg
[EMAIL PROTECTED] www.iuveno.de
Tel.: +49 (0) 911/ 9 88 39 84
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce