For a couple weeks now I've been wondering about Zope's security vulnerabilities. Recently I've gotten rather alarmed. While poking around the zGold site, I've come across some rather surprising things. In particular, access to the SQL database doesn't seem to be controlled at all... I was able to snag clear text passwords rather easily. (I hope no one is using an important password for that site... surprisingly only three users have 'password'. :) Presumably this is a server configuration issue, as Zope.org doesn't have the obvious hole that zGold does. So, my question is, does there exist a laundry list of common Zope misconfigurations? Does there need to be one (Zope.org tips)? The solution is rather obvious (settings on the security tab for the folder) but how do new users know to catch that kind of thing? -Otto.