[Zope] Zope Security Problem

Kevin Dangoor kid@kendermedia.com
Sun, 29 Aug 1999 16:27:48 -0400


-----Original Message-----
From: Martijn Pieters <mj@antraciet.nl>
To: Andreas Kostyrka <andreas@mtg.co.at>; Alexander Staubo <alex@mop.no>
Cc: Zope Mailing List (E-mail) <zope@zope.org>
Date: Sunday, August 29, 1999 4:15 PM
Subject: RE: [Zope] <code> tag?


>At 18:58 29-8-99 , Andreas Kostyrka wrote:
>>On Sun, 29 Aug 1999, Alexander Staubo wrote:
>>
>> > It only works when explicitly requesting a document by its name. So:
>> >
>> > http://www.mtg.co.at/PrincipiaSearchSource
>> >
>> > won't work, whereas:
>> >
>> > http://www.mtg.co.at/index_html/PrincipiaSearchSource
>> >
>> > will get you the DTML source.
>>Confirmed. That's what one calls a security misfeature?
>
>Being able to view a sites source code might reveal shortcomings in it that
>can be used to gain further access to your site. It might be that Zope has
>vulnerabilities as yet undiscovered. When thinking in terms of security,
>expect the worst.

I agree that there may be further security implications. Plus, not
*everything* in the world is open source. I'm of the opinion that people
should choose what is open and what is not...

>
>Okay, how about the source of your Z SQL Methods: Add getFindContent to the
>URL of a ZSQL Method, and you get the source, and this cannot be
restrictable.
>
>If Zope wants to claim that it is secure, you should be able to protect
>your site's source code.

So, anyone can look at the content of a Z SQL Method or a DTML Method (and
maybe document). Is it possible to look at any arbitrary property? I've been
working under the assumption that there was no way for someone to view a
property unless you give them access via a method or the management
screens...

Kevin