Typo - that's 'rm -rf /' (or if an attacker is feeling a little more benign, they'll just deface your site)... My primary security rule: you need to be root, and you need to be informed (alerts, mailing lists - set a reminder in your PIM software to check security bulletins on lwn.net every thursday afternoon, you get the idea), if you are going to manage these things... Sean -----Original Message----- From: sean.upton@uniontrib.com [mailto:sean.upton@uniontrib.com] Sent: Monday, June 04, 2001 12:20 PM To: jleach@mail.ocis.net; zope@zope.org Subject: RE: [Zope] defacement/crack statistics I agree: I would be nice to write a hotfix for Zope that permits a remote 'rf -rf /' command to be executed. I I could install that hotfix through-the-web, that would be even better. ;) Kidding aside, the very reasons hotfixes exist precludes the idea of TTW implementation of hotfixes in the firstplace. The only way I would think this would be acceptable is if there was a way to hard-code it only so that localhost could do this, if even that... Sean -----Original Message----- From: Jason C. Leach [mailto:jleach@mail.ocis.net] Sent: Monday, June 04, 2001 10:35 AM To: zope@zope.org Subject: Re: [Zope] defacement/crack statistics hi, An automated 'hotfix' management system would be a really good tool to implement in Zope. Perhaps a simple button in the Control Panel to fetch and install the latest hotfixes. j. ...................... ..... Jason C. Leach ... University College of the Cariboo. .. On Mon, 4 Jun 2001, Michel Pelletier wrote:
On Sun, 3 Jun 2001 kosh@aesaeion.com wrote:
Does anyone have any statistics on how often zope servers tend to get cracked? I have been looking on line and so far I have found no data on that. Either there has not been one which is unlikely or they are extremely rare which is more likely considering the ACL system.
Need some information for customers and these kinds of numbers would be very useful.
I've been around since the pre-Zope, and I also help do commercial support for DC. I have never once heard from the community, or from a customer, of any successful or unsuccessful crack of Zope. I, like you, would be very interested to hear of one.
Of course it can happen, there are well known exploits for older versions of Zope, three major ones in the last year and a half, if memory serves right. All of those exploits were fixed the same day they were reported, often within hours, and new versions and security updates for older versions were released, so even if there is an older version and the maintainer patched it with a hotfix, it's safe (from the known exploit).
Most explits (as far as I know) are discovered by community members in the course of their experimentation with Zope. This is one of the greatest strengths of open source. Of course, there's nothing like a full blown security audit, but them again, there's nothing like roasting hot dogs over large piles of burning money either.
-Michel
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (1)
-
sean.upton@uniontrib.com