[Zope] defacement/crack statistics

Jason C. Leach jleach@mail.ocis.net
Mon, 4 Jun 2001 10:35:27 -0700 (PDT)


hi,

An automated 'hotfix' management system would be a really good tool to
implement in Zope.  Perhaps a simple button in the Control Panel to
fetch and install the latest hotfixes.

j.

......................
..... Jason C. Leach
... University College of the Cariboo.
.. 

On Mon, 4 Jun 2001, Michel Pelletier wrote:

> On Sun, 3 Jun 2001 kosh@aesaeion.com wrote:
> 
> > Does anyone have any statistics on how often zope servers tend to get
> > cracked? I have been looking on line and so far I have found no data on
> > that. Either there has not been one which is unlikely or they are
> > extremely rare which is more likely considering the ACL system.
> >
> > Need some information for customers and these kinds of numbers would be
> > very useful.
> 
> I've been around since the pre-Zope, and I also help do commercial support
> for DC.  I have never once heard from the community, or from a customer,
> of any successful or unsuccessful crack of Zope.  I, like you, would be
> very interested to hear of one.
> 
> Of course it can happen, there are well known exploits for older versions
> of Zope, three major ones in the last year and a half, if memory serves
> right.  All of those exploits were fixed the same day they were reported,
> often within hours, and new versions and security updates for older
> versions were released, so even if there is an older version and the
> maintainer patched it with a hotfix, it's safe (from the known exploit).
> 
> Most explits (as far as I know) are discovered by community members in the
> course of their experimentation with Zope.  This is one of the greatest
> strengths of open source.  Of course, there's nothing like a full blown
> security audit, but them again, there's nothing like roasting hot
> dogs over large piles of burning money either.
> 
> -Michel
> 
> 
> 
>