[prev in list] [next in list] [prev in thread] [next in thread]
List: zope
Subject: Re: [Zope] Virtual Hosting configuration for Zope
From: Toby Dickenson <tdickenson () devmail ! geminidataloggers ! co ! uk>
Date: 2001-04-05 7:56:26
[Download RAW message or body]
On 22 Mar 2001 20:13:20 -0700, Bill Anderson <bill@libc.org> wrote:
(my appologies for the delayed reply)
>On 22 Mar 2001 16:17:24 +0000, Toby Dickenson wrote:
>> Is this for an intranet application or something exposed to the raw
>> internet?
>>
>> IMO ZServer's http implementation isnt sufficiently robust to be
>> exposed directly to untrusted clients.
>
>Upon what do you base this?
There are a number of obvious but minor vulnerabilities. Im sure they
are all fixable, but they contribute to giving me a sense of caution.
For example the medusa http server buffers incoming http headers in
memory using string concatenation, and does not place an upper limit
on the total size of headers. A malicious http request containing a
large number of headers is an effective denial-of-service attack;
consuming memory equal to the size of the headers sent, and O(n^2)
processor time (because of the concatenation)
[I hope this doesnt come across as FUD; this is the only aspect of
Zope security that causes me any concern, and the easy fix (use of a
front-end proxy) is recommended for other reasons too]
Toby Dickenson
tdickenson@geminidataloggers.com
_______________________________________________
Zope maillist - Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic