Re: zope - plone security issues
From: Kelly Martin (kel_at_securityfocus.com)
Date: 05/08/04
- Previous message: VonGrebe, Chris: "RE: ICMP/UDP flood"
- In reply to: Christos Gioran: "zope - plone security issues"
- Next in thread: Christos Gioran: "Re: zope - plone security issues"
- Reply: Christos Gioran: "Re: zope - plone security issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 7 May 2004 16:02:42 -0600 (MDT) To: Christos Gioran <himicos@freemail.gr>
On Fri, 7 May 2004, Christos Gioran wrote:
> If you agree on
> this approach, is there any diferrence, security-wise, in compiling all
> programs in the chroot jail (all programs being zope, plone *and* python)
> statically or shared? If so, why?
I'm still in the development process with Zope myself, so I can't give any
of my own real-world examples of pen-testing a zope app, unfortunately.
With the way inheritance works in Python/Zope/CMF/Plone, though, I think
most of the security issues in your app will stem from logic errors, and
also not setting the right permissions for certain objects. Otherwise
there have been a few vulnerabilities in Zope but they've been fixed in
the latest versions. Will you be using Plone as your base to develop from?
However per your last point, I'd be interested to know if you're
successful in chrooting zope. When I compiles and launched Zope 2.7.0, run
as its own user (running on OpenBSD-3.3-stable) it always exits with a
segmentation fault as soon as a web request is made. Crash. The only
alternative was to launch as root temporarily and have it switch to its
own user. rrgh. That's probably a security risk.
The Plone mailing list is quite busy, but I'm not aware of any online
archives of it to search for more info. Personally I've found moving from
the cgi-bin development model to Zope to be rather complicated. :)
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: VonGrebe, Chris: "RE: ICMP/UDP flood"
- In reply to: Christos Gioran: "zope - plone security issues"
- Next in thread: Christos Gioran: "Re: zope - plone security issues"
- Reply: Christos Gioran: "Re: zope - plone security issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
