[Zope] defacement/crack statistics

[Michel Pelletier]

On Sun, 3 Jun 2001 kosh@aesaeion.com wrote:

> Does anyone have any statistics on how often zope servers tend to get
> cracked? I have been looking on line and so far I have found no data on
> that. Either there has not been one which is unlikely or they are
> extremely rare which is more likely considering the ACL system.
>
> Need some information for customers and these kinds of numbers would be
> very useful.

I've been around since the pre-Zope, and I also help do commercial support
for DC.  I have never once heard from the community, or from a customer,
of any successful or unsuccessful crack of Zope.  I, like you, would be
very interested to hear of one.

Of course it can happen, there are well known exploits for older versions
of Zope, three major ones in the last year and a half, if memory serves
right.  All of those exploits were fixed the same day they were reported,
often within hours, and new versions and security updates for older
versions were released, so even if there is an older version and the
maintainer patched it with a hotfix, it's safe (from the known exploit).

Most explits (as far as I know) are discovered by community members in the
course of their experimentation with Zope.  This is one of the greatest
strengths of open source.  Of course, there's nothing like a full blown
security audit, but them again, there's nothing like roasting hot
dogs over large piles of burning money either.

-Michel