[Zope-dev] How (in)secure is Zope?

Toby Dickenson tdickenson@geminidataloggers.com
Thu, 13 Mar 2003 10:13:31 +0000


On Thursday 13 March 2003 9:25 am, Lennart Regebro wrote:

> 5. Protecting yourself against denial of service:
> Zope does not seem to crash if you send random data to it, and I have in
> logs seen attemps to overflow buffers and the like that obviously are
> attempt to crash or break in to other (MS) servers, without this
> affecting Zope at all.

There is evidence that this is not true.

> If you don't trust Zope in this, you can put
> Apache in front of it.

> In this sense Zope is again VERY secure.

Zope is insecure

Zope+Squid(or Apache or Pound)+OS resource limits+careful choice of products  
is secure

(Note that  I dont consider this a flaw in Zope.)
-- 
Toby Dickenson
http://www.geminidataloggers.com/people/tdickenson