13 Sep
2003
13 Sep
'03
11:12 a.m.
Roy Rapoport wrote at 2003-9-10 11:34 -0700:
As part of a re-engineering of our Zope infrastructure, I'm tasked with finding any documentation out there on how to secure Zope sites in a best-practices sort of way. Anyone got any pointers?
Jamie Heilman (who also answered to your post) discovered a set of security risks. Search the mailing list archives for his security related posts. To avoid the ":action/method" risk (pointed out by Jamie) we will extend the VHM (virtual host monster) to do the "forbidden URL checking" rather than doing it in Apache (which does not see the complete URL). Dieter