Hi!
I am getting aggravation from our sysadmin, who is reluctant to poke holes in our new firewall for my Zope ports. He claims he knows of no software in the last few years that has so many security holes. Is there anything to justify this claim? I know there are an alarmingly large number of Zope hotfixes on the security mailing lists and that login passwords get sent in the clear, when not using ssl. On the other hand, I know of no attempt to hack a Zope site.
I 've heard of one: But that was Tom Schwaller getting password-sniffed in the local IP network on LinuxTag. ;-) Though I am not sure if this is just a good story or real ... This could have happened with any other software that allows over-the-web management. And using SSL does away with this ... Zope CAN be dangerous if applied without care of course. But that's the job of your sysadmin. E.g. LocalFS combined with read/write permissions to critical resources for the user account running Zope is like leaving the door of your car open in Naples ... Joachim