[Zope] Major security flaw in Zope 2.3.2
Oleg Broytmann
Oleg Broytmann <phd@phd.fep.ru>
Wed, 6 Jun 2001 23:47:03 +0400 (MSD)
On Wed, 6 Jun 2001, Ragnar Beer wrote:
> >Of course it would not help against a prying administrator. It's plain
> >simple to sniff the passwords from HTTP traffic.
> >
> >Regards, Frank
> >
>
> And that's why you shouldn't allow access to the management interface
> via HTTP. (I just wonder why there is a *separate* ZServer with SSL
This is of not much help. Prying admin who already has access to
filesystem will just hack Zope and get passwords mailed to him, SSL or no
SSL - right from Zope.
Oleg.
----
Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru
Programmers don't die, they just GOSUB without RETURN.