Security Basics mailing list archives
Re: zope - plone security issues
From: Kelly Martin <kel () securityfocus com>
Date: Fri, 7 May 2004 16:02:42 -0600 (MDT)
On Fri, 7 May 2004, Christos Gioran wrote:
If you agree on this approach, is there any diferrence, security-wise, in compiling all programs in the chroot jail (all programs being zope, plone *and* python) statically or shared? If so, why?
I'm still in the development process with Zope myself, so I can't give any of my own real-world examples of pen-testing a zope app, unfortunately. With the way inheritance works in Python/Zope/CMF/Plone, though, I think most of the security issues in your app will stem from logic errors, and also not setting the right permissions for certain objects. Otherwise there have been a few vulnerabilities in Zope but they've been fixed in the latest versions. Will you be using Plone as your base to develop from? However per your last point, I'd be interested to know if you're successful in chrooting zope. When I compiles and launched Zope 2.7.0, run as its own user (running on OpenBSD-3.3-stable) it always exits with a segmentation fault as soon as a web request is made. Crash. The only alternative was to launch as root temporarily and have it switch to its own user. rrgh. That's probably a security risk. The Plone mailing list is quite busy, but I'm not aware of any online archives of it to search for more info. Personally I've found moving from the cgi-bin development model to Zope to be rather complicated. :) --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- zope - plone security issues Christos Gioran (May 07)
- Re: zope - plone security issues Kelly Martin (May 07)
- Re: zope - plone security issues Christos Gioran (May 10)
- Re: zope - plone security issues Kelly Martin (May 07)