[Zope] defacement/crack statistics
Jim Penny
jpenny@universal-fasteners.com
Mon, 4 Jun 2001 18:26:17 -0400
On Mon, Jun 04, 2001 at 03:12:33PM -0400, Shane Hathaway wrote:
> Andy McKay wrote:
> > I believe this is the problem:
> >
> > - we see a hotfix which fixes an obscure security problem in an unusual
> > situation. Mostly related to allowing trusted users access to create stuff
> > (a la Zope.org). Most sites do not do this and most security patches are of
> > little importance.
> >
>
>
> I'd say Zope has a very good track record in the area of security. DC
> is just paranoid. :-)
>
I would not disagree, but part of the problem is the language that
DC has normally used to advertise a hotfix. This is truly a delicate
situation, in that you want to be damned sure that needed patches are
applied; but in the past, the alerts have been somewhat breathless.
I think it might be a real help if the alerts had a section titled
something like
"Profile of Affected Site", or something like that, and then the
paragraph said
"Zope hosting site, or other site that lets unknwon or untrusted users
post DTML",
"Zope site that permits posting of structured text",
or
"All users, Yeep! Red Alert, man the battle stations"
It might also help to begin the alert with a notice of the number
of sites known to have been defaced as a result of the problem.
> Shane
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>