[Zope] defacement/crack statistics

sean.upton@uniontrib.com sean.upton@uniontrib.com
Mon, 04 Jun 2001 12:20:09 -0700


I agree: I would be nice to write a hotfix for Zope that permits a remote
'rf -rf /' command to be executed.  I I could install that hotfix
through-the-web, that would be even better. ;) Kidding aside, the very
reasons hotfixes exist precludes the idea of TTW implementation of hotfixes
in the firstplace.  The only way I would think this would be acceptable is
if there was a way to hard-code it only so that localhost could do this, if
even that...

Sean

-----Original Message-----
From: Jason C. Leach [mailto:jleach@mail.ocis.net]
Sent: Monday, June 04, 2001 10:35 AM
To: zope@zope.org
Subject: Re: [Zope] defacement/crack statistics


hi,

An automated 'hotfix' management system would be a really good tool to
implement in Zope.  Perhaps a simple button in the Control Panel to
fetch and install the latest hotfixes.

j.

......................
..... Jason C. Leach
... University College of the Cariboo.
.. 

On Mon, 4 Jun 2001, Michel Pelletier wrote:

> On Sun, 3 Jun 2001 kosh@aesaeion.com wrote:
> 
> > Does anyone have any statistics on how often zope servers tend to get
> > cracked? I have been looking on line and so far I have found no data on
> > that. Either there has not been one which is unlikely or they are
> > extremely rare which is more likely considering the ACL system.
> >
> > Need some information for customers and these kinds of numbers would be
> > very useful.
> 
> I've been around since the pre-Zope, and I also help do commercial support
> for DC.  I have never once heard from the community, or from a customer,
> of any successful or unsuccessful crack of Zope.  I, like you, would be
> very interested to hear of one.
> 
> Of course it can happen, there are well known exploits for older versions
> of Zope, three major ones in the last year and a half, if memory serves
> right.  All of those exploits were fixed the same day they were reported,
> often within hours, and new versions and security updates for older
> versions were released, so even if there is an older version and the
> maintainer patched it with a hotfix, it's safe (from the known exploit).
> 
> Most explits (as far as I know) are discovered by community members in the
> course of their experimentation with Zope.  This is one of the greatest
> strengths of open source.  Of course, there's nothing like a full blown
> security audit, but them again, there's nothing like roasting hot
> dogs over large piles of burning money either.
> 
> -Michel
> 
> 
> 
> 


_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )