Many (most?) of the hotfixes have to do with fixing security holes which are a problem if and only if you allow untrusted (or semitrusted users) to write DTML/Python on your website via the through-the-web interface. If you don't allow this (most people don't... most people can't even conceive of it, because they have no concept that it can actually be done, and no other platforms provide for such a feature), the number of Zope security-related problems over the last few years goes down considerably. I count six (out of a total of 11) of them that are *not* related to through-the-web scripting since last June, one of which doesn't allow for meaningful elevation of privilege in any way. This leaves five "critical" security-related bugs in a year, all of which have fixes. Consider also that Zope contains a webserver, a database, its own templating language, and its own search engine. Advise your admin to check the number of combined security reports for Apache, MySQL, embperl, and HTdig for the last year, and compare them against the number reported and fixed in Zope. I'd imagine they're comparable. - C ----- Original Message ----- From: "Alastair Burt" <burt@dfki.de> To: <zope@zope.org> Sent: Tuesday, May 15, 2001 10:15 AM Subject: [Zope] Zope Security

I am getting aggravation from our sysadmin, who is reluctant to poke holes in our new firewall for my Zope ports. He claims he knows of no software in the last few years that has so many security holes. Is there anything to justify this claim? I know there are an alarmingly large number of Zope hotfixes on the security mailing lists and that login passwords get sent in the clear, when not using ssl. On the other hand, I know of no attempt to hack a Zope site.

--- Alastair

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )

There do appear to be a large number of hotfixes but you could examine what they are actually for since most are extremely obscure and dont actually present much of a risk. I rarely bother with most hotfixes, just move up to the next Zope as it comes out. Zope is very secure, the only obvious problem is, as you say, passwords are not encrypted. -- Andy McKay ----- Original Message ----- From: "Alastair Burt" <burt@dfki.de> To: <zope@zope.org> Sent: Tuesday, May 15, 2001 7:15 AM Subject: [Zope] Zope Security

I am getting aggravation from our sysadmin, who is reluctant to poke holes in our new firewall for my Zope ports. He claims he knows of no software in the last few years that has so many security holes. Is there anything to justify this claim? I know there are an alarmingly large number of Zope hotfixes on the security mailing lists and that login passwords get sent in the clear, when not using ssl. On the other hand, I know of no attempt to hack a Zope site.

--- Alastair

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )

I am getting aggravation from our sysadmin, who is reluctant to poke holes in our new firewall for my Zope ports. He claims he knows of no software

I don't see a relation with the fact that zope may be insecure (it seems to be very secure) and the fact that it should be allowed a port to run on. If someone tries to hack your zope, what is the influence on the rest of the system? The sysadmin should open the port and not worry about the use you do of it. Did I miss something? (I never had problem with a sysadmin though ;-) Philippe

On 15 May 2001, Alastair Burt wrote:

I am getting aggravation from our sysadmin, who is reluctant to poke holes in our new firewall for my Zope ports. He claims he knows of no software in the last few years that has so many security holes. Is there anything to justify this claim?

Not really.

I know there are an alarmingly large number of Zope hotfixes on the security mailing lists

Not any more than many other popular server systems. An often our security alerts are for unauthorized access to objects, *not* to your filesystem or the rest of your machine or network. If you do the right thing and run Zope as nobody, you should be fine.

and that login passwords get sent in the clear, when not using ssl.

That's the fault of HTTP basic auth, not Zope, Apache and everything else sends it's basic auth credentials in the same way.

On the other hand, I know of no attempt to hack a Zope site.

I suggest you tell your administrator that he's right, and that in no way should you use Zope. Use IIS instead. It's much more secure, really. Oh yeah, and he absolutly must install FrontPage 2000 for his security to be airtight. -Michel