[Zope] Zope Security

[Joachim Werner]

Hi!

> I am getting aggravation from our sysadmin, who is reluctant to poke holes
> in our new firewall for my Zope ports.  He claims he knows of no software
> in the last few years that has so many security holes.  Is there anything
> to justify this claim?  I know there are an alarmingly large number of
Zope
> hotfixes on the security mailing lists and that login passwords get sent
in
> the clear, when not using ssl.  On the other hand, I know of no attempt to
> hack a Zope site.

I 've heard of one: But that was Tom Schwaller getting password-sniffed in
the local IP network on LinuxTag. ;-) Though I am not sure if this is just a
good story or real ...

 This could have happened with any other software that allows over-the-web
management. And using SSL does away with this ...

Zope CAN be dangerous if applied without care of course. But that's the job
of your sysadmin. E.g. LocalFS combined with read/write permissions to
critical resources for the user account running Zope is like leaving the
door of your car open in Naples ...

Joachim