[Zope] www.oswg.org runs Zope?

[Anthony Baxter]

>>> srl wrote
> Now, the fact that we can add /manage to any URL to edit the data seems
> like a potential security hole. all it would take to crack a Zope password
> would be running a password guesser with user 'superuser'. Or am I missing
> something here?

So put it behind Apache, and either strip out all basic auth (and make
sure user auth uses cookies) or block .*/manage.*

Anthony
-- 
Anthony Baxter     <anthony@interlink.com.au>   
It's never too late to have a happy childhood.