[Zope] issues of trust, why security via mod_rewrite fails

Jamie Heilman jamie@audible.transient.net
Mon, 2 Jun 2003 12:32:12 -0700

Oliver Bleutgen wrote:
> And let me thank you for that, IMO you do a very important service for 
> the zope community. Unfortunately it seems that unless there is a major 
> flaw found, there's not much interest in this kind of security analysis.

Thanks!  I have to say I too don't understand the perfunctory attitude
towards security in Zope.  I've pointed out numerous avenues for cross
site scripting, which even when patched, thanks to the misplacement of
trust, allow poisoning of caches with false hostnames, URIs, etc.
Even finding out if a page uses a cache manager is trivial, thanks to
the unprotected method of ZCacheable_getURL in the ZCacheable mix-in.
(which is fixed in my reworked version see bug 911)  My point is, you
combine enough of these things together and you can start to build a
pretty effective attack against a Zope host.
> At least with VHM, I think the solution is straightforward. Abandon the 
> path for forwarding information to zope, and use custom http-headers 
> instead. VHM then would delete these headers on traversal (to hide that 
> information from not-so-trusted code inside zope).
> This solution would not only be more secure, it would also simplify the 
> VHM code alot, and it would certainly be faster.

Yeah I think you're right, the extra header occured to me too, I
haven't hammered out any code yet (too busy updating the patchwork for
813) but its on my list.  Now, while I think a new header is a good
stop-gap I don't think its a permanent solution.  The probablem of no
canonical host name is still source of pain in zope and I have a hunch
a long term solution will solve both problems at once, as well as be
safe to use on a multi-user machine with potentially hostile accounts.
I don't yet know what that solution might look like though.

Jamie Heilman                   http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality.  Before we know the words
 for it, before we know there are words, out we come bloodied and squalling
 with the knowledge that for all the compasses in the world, there's only
 one direction, and time is its only measure."		-Rosencrantz