[Zope] defacement/crack statistics

Joachim Werner joe@iuveno-net.de
Mon, 4 Jun 2001 18:38:38 +0200


> > Does anyone have any statistics on how often zope servers tend to get
> > cracked? I have been looking on line and so far I have found no data on
> > that. Either there has not been one which is unlikely or they are
> > extremely rare which is more likely considering the ACL system.
> >
> > Need some information for customers and these kinds of numbers would be
> > very useful.
>
> I've been around since the pre-Zope, and I also help do commercial support
> for DC.  I have never once heard from the community, or from a customer,
> of any successful or unsuccessful crack of Zope.  I, like you, would be
> very interested to hear of one.

Hi!

The only successful attack I know of is that Tom Schwaller's linuxcommunity
site was apparently defaced on LinuxTag 2000 in Stuttgart, Germany. I have
not really seen it happen, and the exploit was said to have been a typical
password-sniffing attack from within the LinuxTag local IP net that could
have been avoided with SSH and would be extremely unlikely over the
Internet.

Unfortunately Zope seems to have a very bad reputation for security holes in
the non-Zope Linux community. I am not sure where this comes from. Maybe it
is just because all zope.org security alerts where promptly posted on the
usual sites (like RedHat's or SuSE's) and people were not able to judge the
importance of those.

In addtion to that, as I have read in an earlier posting some weeks ago, one
would have to compare Zope not just with Apache, but with a completely
configured system, e.g. a LAMP (Linux, Apache, MySQL, Perl/PHP)
installation, and count the total applicable security issues this
combination has/had with Zope's.

The good thing with a standard Zope installation is that even if you hack
into the FTP port, ZServer would never even be able to serve you files from
outside the ZODB. That's why useful tools like LocalFS have to be handled
with care ...

Joachim