[Zope] defacement/crack statistics
sean.upton@uniontrib.com
sean.upton@uniontrib.com
Mon, 04 Jun 2001 12:28:38 -0700
Typo - that's 'rm -rf /' (or if an attacker is feeling a little more benign,
they'll just deface your site)...
My primary security rule: you need to be root, and you need to be informed
(alerts, mailing lists - set a reminder in your PIM software to check
security bulletins on lwn.net every thursday afternoon, you get the idea),
if you are going to manage these things...
Sean
-----Original Message-----
From: sean.upton@uniontrib.com [mailto:sean.upton@uniontrib.com]
Sent: Monday, June 04, 2001 12:20 PM
To: jleach@mail.ocis.net; zope@zope.org
Subject: RE: [Zope] defacement/crack statistics
I agree: I would be nice to write a hotfix for Zope that permits a remote
'rf -rf /' command to be executed. I I could install that hotfix
through-the-web, that would be even better. ;) Kidding aside, the very
reasons hotfixes exist precludes the idea of TTW implementation of hotfixes
in the firstplace. The only way I would think this would be acceptable is
if there was a way to hard-code it only so that localhost could do this, if
even that...
Sean
-----Original Message-----
From: Jason C. Leach [mailto:jleach@mail.ocis.net]
Sent: Monday, June 04, 2001 10:35 AM
To: zope@zope.org
Subject: Re: [Zope] defacement/crack statistics
hi,
An automated 'hotfix' management system would be a really good tool to
implement in Zope. Perhaps a simple button in the Control Panel to
fetch and install the latest hotfixes.
j.
......................
..... Jason C. Leach
... University College of the Cariboo.
..
On Mon, 4 Jun 2001, Michel Pelletier wrote:
> On Sun, 3 Jun 2001 kosh@aesaeion.com wrote:
>
> > Does anyone have any statistics on how often zope servers tend to get
> > cracked? I have been looking on line and so far I have found no data on
> > that. Either there has not been one which is unlikely or they are
> > extremely rare which is more likely considering the ACL system.
> >
> > Need some information for customers and these kinds of numbers would be
> > very useful.
>
> I've been around since the pre-Zope, and I also help do commercial support
> for DC. I have never once heard from the community, or from a customer,
> of any successful or unsuccessful crack of Zope. I, like you, would be
> very interested to hear of one.
>
> Of course it can happen, there are well known exploits for older versions
> of Zope, three major ones in the last year and a half, if memory serves
> right. All of those exploits were fixed the same day they were reported,
> often within hours, and new versions and security updates for older
> versions were released, so even if there is an older version and the
> maintainer patched it with a hotfix, it's safe (from the known exploit).
>
> Most explits (as far as I know) are discovered by community members in the
> course of their experimentation with Zope. This is one of the greatest
> strengths of open source. Of course, there's nothing like a full blown
> security audit, but them again, there's nothing like roasting hot
> dogs over large piles of burning money either.
>
> -Michel
>
>
>
>
_______________________________________________
Zope maillist - Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________
Zope maillist - Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )