Does anyone have any statistics on how often zope servers tend to get cracked? I have been looking on line and so far I have found no data on that. Either there has not been one which is unlikely or they are extremely rare which is more likely considering the ACL system.
Need some information for customers and these kinds of numbers would be very useful.
I've been around since the pre-Zope, and I also help do commercial support for DC. I have never once heard from the community, or from a customer, of any successful or unsuccessful crack of Zope. I, like you, would be very interested to hear of one.
Hi! The only successful attack I know of is that Tom Schwaller's linuxcommunity site was apparently defaced on LinuxTag 2000 in Stuttgart, Germany. I have not really seen it happen, and the exploit was said to have been a typical password-sniffing attack from within the LinuxTag local IP net that could have been avoided with SSH and would be extremely unlikely over the Internet. Unfortunately Zope seems to have a very bad reputation for security holes in the non-Zope Linux community. I am not sure where this comes from. Maybe it is just because all zope.org security alerts where promptly posted on the usual sites (like RedHat's or SuSE's) and people were not able to judge the importance of those. In addtion to that, as I have read in an earlier posting some weeks ago, one would have to compare Zope not just with Apache, but with a completely configured system, e.g. a LAMP (Linux, Apache, MySQL, Perl/PHP) installation, and count the total applicable security issues this combination has/had with Zope's. The good thing with a standard Zope installation is that even if you hack into the FTP port, ZServer would never even be able to serve you files from outside the ZODB. That's why useful tools like LocalFS have to be handled with care ... Joachim