defacement/crack statistics
Does anyone have any statistics on how often zope servers tend to get cracked? I have been looking on line and so far I have found no data on that. Either there has not been one which is unlikely or they are extremely rare which is more likely considering the ACL system. Need some information for customers and these kinds of numbers would be very useful. Thanks Designing the webpages of tomorrow http://webme-eng.com Designing the MMORPGS of tomorrow http://worldforge.org
On Sun, 3 Jun 2001 kosh@aesaeion.com wrote:
Does anyone have any statistics on how often zope servers tend to get cracked? I have been looking on line and so far I have found no data on that. Either there has not been one which is unlikely or they are extremely rare which is more likely considering the ACL system.
Need some information for customers and these kinds of numbers would be very useful.
I've been around since the pre-Zope, and I also help do commercial support for DC. I have never once heard from the community, or from a customer, of any successful or unsuccessful crack of Zope. I, like you, would be very interested to hear of one. Of course it can happen, there are well known exploits for older versions of Zope, three major ones in the last year and a half, if memory serves right. All of those exploits were fixed the same day they were reported, often within hours, and new versions and security updates for older versions were released, so even if there is an older version and the maintainer patched it with a hotfix, it's safe (from the known exploit). Most explits (as far as I know) are discovered by community members in the course of their experimentation with Zope. This is one of the greatest strengths of open source. Of course, there's nothing like a full blown security audit, but them again, there's nothing like roasting hot dogs over large piles of burning money either. -Michel
Does anyone have any statistics on how often zope servers tend to get cracked? I have been looking on line and so far I have found no data on that. Either there has not been one which is unlikely or they are extremely rare which is more likely considering the ACL system.
Need some information for customers and these kinds of numbers would be very useful.
I've been around since the pre-Zope, and I also help do commercial support for DC. I have never once heard from the community, or from a customer, of any successful or unsuccessful crack of Zope. I, like you, would be very interested to hear of one.
Hi! The only successful attack I know of is that Tom Schwaller's linuxcommunity site was apparently defaced on LinuxTag 2000 in Stuttgart, Germany. I have not really seen it happen, and the exploit was said to have been a typical password-sniffing attack from within the LinuxTag local IP net that could have been avoided with SSH and would be extremely unlikely over the Internet. Unfortunately Zope seems to have a very bad reputation for security holes in the non-Zope Linux community. I am not sure where this comes from. Maybe it is just because all zope.org security alerts where promptly posted on the usual sites (like RedHat's or SuSE's) and people were not able to judge the importance of those. In addtion to that, as I have read in an earlier posting some weeks ago, one would have to compare Zope not just with Apache, but with a completely configured system, e.g. a LAMP (Linux, Apache, MySQL, Perl/PHP) installation, and count the total applicable security issues this combination has/had with Zope's. The good thing with a standard Zope installation is that even if you hack into the FTP port, ZServer would never even be able to serve you files from outside the ZODB. That's why useful tools like LocalFS have to be handled with care ... Joachim
Maybe it is just because all zope.org security alerts where promptly posted on the usual sites (like RedHat's or SuSE's) and people were not able to judge the importance of those.
I believe this is the problem: - we see a hotfix which fixes an obscure security problem in an unusual situation. Mostly related to allowing trusted users access to create stuff (a la Zope.org). Most sites do not do this and most security patches are of little importance. - this hotfix gets reported on Zope.org and thanks to the wonders of syndication and RSS is reported on numerous sites. There was an old article on this (http://www.zopezen.org/SDot/983385083/index_html). Everyone thinks Zope is insecure and hence people see all these security patches with Zope in them and think its insecure. Im not sure how to solve this or educate people. Cheers. -- Andy McKay.
Andy McKay wrote:
I believe this is the problem:
- we see a hotfix which fixes an obscure security problem in an unusual situation. Mostly related to allowing trusted users access to create stuff (a la Zope.org). Most sites do not do this and most security patches are of little importance.
- this hotfix gets reported on Zope.org and thanks to the wonders of syndication and RSS is reported on numerous sites. There was an old article on this (http://www.zopezen.org/SDot/983385083/index_html). Everyone thinks Zope is insecure and hence people see all these security patches with Zope in them and think its insecure.
Im not sure how to solve this or educate people.
DC has had a perception for some time that other Zope sites often allow untrusted users to write scripts. Over time it has come clear that this is really not the case AFAICT. But we treated any small exploit like a big one, which seems unnecessary now. The first security hole I found (which, incidentally, helped get me hired :-) ) involved an intruder constructing a series of DTML methods that could mimic the AUTHENTICATED_USER object, then replacing AUTHENTICATED_USER with that object. It gave the intruder full access, yes, but the intruder had to have some privileges in the first place to do it. This was a big concern for zope.org and free Zope hosting providers, but not sites like CBS NY which don't allow untrusted users to create DTML. I think the root of the problem is that we used to recommend people use DTML documents to store content. That meant that DTML documents had to be bulletproof against attacks even by semi-trusted users. They still are, but today the story is that you should store content in the form that best fits the type of content. That means that content authors aren't normally allowed to write complex scripts. For the most part, they never wanted to in the first place! I'd say Zope has a very good track record in the area of security. DC is just paranoid. :-) Shane
On Mon, Jun 04, 2001 at 03:12:33PM -0400, Shane Hathaway wrote:
Andy McKay wrote:
I believe this is the problem:
- we see a hotfix which fixes an obscure security problem in an unusual situation. Mostly related to allowing trusted users access to create stuff (a la Zope.org). Most sites do not do this and most security patches are of little importance.
I'd say Zope has a very good track record in the area of security. DC is just paranoid. :-)
I would not disagree, but part of the problem is the language that DC has normally used to advertise a hotfix. This is truly a delicate situation, in that you want to be damned sure that needed patches are applied; but in the past, the alerts have been somewhat breathless. I think it might be a real help if the alerts had a section titled something like "Profile of Affected Site", or something like that, and then the paragraph said "Zope hosting site, or other site that lets unknwon or untrusted users post DTML", "Zope site that permits posting of structured text", or "All users, Yeep! Red Alert, man the battle stations" It might also help to begin the alert with a notice of the number of sites known to have been defaced as a result of the problem.
Shane
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
hi, An automated 'hotfix' management system would be a really good tool to implement in Zope. Perhaps a simple button in the Control Panel to fetch and install the latest hotfixes. j. ...................... ..... Jason C. Leach ... University College of the Cariboo. .. On Mon, 4 Jun 2001, Michel Pelletier wrote:
On Sun, 3 Jun 2001 kosh@aesaeion.com wrote:
Does anyone have any statistics on how often zope servers tend to get cracked? I have been looking on line and so far I have found no data on that. Either there has not been one which is unlikely or they are extremely rare which is more likely considering the ACL system.
Need some information for customers and these kinds of numbers would be very useful.
I've been around since the pre-Zope, and I also help do commercial support for DC. I have never once heard from the community, or from a customer, of any successful or unsuccessful crack of Zope. I, like you, would be very interested to hear of one.
Of course it can happen, there are well known exploits for older versions of Zope, three major ones in the last year and a half, if memory serves right. All of those exploits were fixed the same day they were reported, often within hours, and new versions and security updates for older versions were released, so even if there is an older version and the maintainer patched it with a hotfix, it's safe (from the known exploit).
Most explits (as far as I know) are discovered by community members in the course of their experimentation with Zope. This is one of the greatest strengths of open source. Of course, there's nothing like a full blown security audit, but them again, there's nothing like roasting hot dogs over large piles of burning money either.
-Michel
participants (7)
-
Andy McKay -
Jason C. Leach -
Jim Penny -
Joachim Werner -
kosh@aesaeion.com -
Michel Pelletier -
Shane Hathaway