[Zope] Zope Security

Michel Pelletier michel@digicool.com
Tue, 15 May 2001 12:49:24 -0700 (PDT)

On 15 May 2001, Alastair Burt wrote:

> I am getting aggravation from our sysadmin, who is reluctant to poke holes
> in our new firewall for my Zope ports.  He claims he knows of no software
> in the last few years that has so many security holes.  Is there anything
> to justify this claim? 

Not really.

> I know there are an alarmingly large number of Zope
> hotfixes on the security mailing lists

Not any more than many other popular server systems.  An often our
security alerts are for unauthorized access to objects, *not* to your
filesystem or the rest of your machine or network.  If you do the right
thing and run Zope as nobody, you should be fine.

> and that login passwords get sent in
> the clear, when not using ssl. 

That's the fault of HTTP basic auth, not Zope, Apache and everything else
sends it's basic auth credentials in the same way.

> On the other hand, I know of no attempt to
> hack a Zope site.

I suggest you tell your administrator that he's right, and that in no way
should you use Zope.  Use IIS instead.  It's much more secure, really.  Oh
yeah, and he absolutly must install FrontPage 2000 for his security to be