[Zope] www.oswg.org runs Zope?

Marcus Collins mcollins@sunesi.com
Wed, 19 Apr 2000 14:19:59 +0200


Hi,

See http://lists.zope.org/pipermail/zope/2000-February/020074.html for an
example using SiteAcces to direct all /manage activity over https.

hth,

-- Marcus

> -----Original Message-----
> From: srl [mailto:slandrum@turing.csc.smith.edu]
> Sent: 19 April 2000 13:55
> To: Petru Paler
> Cc: srl; J. Atwood; zope@zope.org
> Subject: Re: [Zope] www.oswg.org runs Zope?
> 
> 
> On Wed, 19 Apr 2000, Petru Paler wrote:
> 
> > On Wed, Apr 19, 2000 at 07:34:28AM -0400, srl wrote:
> > > Now, the fact that we can add /manage to any URL to edit 
> the data seems
> > > like a potential security hole. all it would take to 
> crack a Zope password
> > > would be running a password guesser with user 
> 'superuser'. Or am I missing
> > > something here?
> > 
> >    Yes. If you are security-conscious you change the 
> superuser account name
> > and choose a very hard to guess password.
> 
> okay, that means that instead of it taking N tries to hack a 
> password, it
> takes N^2 tries. *shrug* a little better. 
> 
> is there a way to run all the /manage pages behind SSL, so 
> they're less
> prone to password sniffing? or to rename /manage to something a little
> more obscure? it just seems to me that the /manage URLs are 
> just waiting
> to be exploited by some cracker. 
> 
> 
> srl, picking security nits
> ----
> Shane Renee Landrum  
> slandrum<@>cs.smith.edu    
> 
> 
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>