hi shane, what you're "missing" is the fact that the superuser's name and password are not hardcoded. it's your responsibility to use the zpasswd.py utility in your zope root directory to change the name and password to something hard to guess. but even if you do not change it, the passwords generated during a zope install are random and not guessable. concerning the fact that the "manage" suffix to an address is hardcoded, there's always the possibility for those who run apache in front of zope to write a rewrite rule which shuts out direct access to anything like http://myurl/myfile/manage and a second one that maps any chosen expression to the underlying zope "manage" pages, like http://myurl/myfile/niceweathertoday . jens ---- Jens Vagelpohl jens@digicool.com Software Engineer www.digicool.com Digital Creations (888) 344-4332 Got Zope? ---- -----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of srl Sent: Wednesday, April 19, 2000 07:34 To: J. Atwood Cc: srl; zope@zope.org Subject: Re: [Zope] www.oswg.org runs Zope? Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here? srl On Tue, 18 Apr 2000, J. Atwood wrote:
http://www.oswg.org:8080/oswg/manage
That is always a good test..
It is.. Squishdot.
J
From: srl <slandrum@turing.csc.smith.edu> Date: Tue, 18 Apr 2000 17:22:35 -0400 (EDT) To: zope@zope.org Subject: [Zope] www.oswg.org runs Zope?
www.oswg.org
_______________________________________________
Shane Renee Landrum slandrum<@>cs.smith.edu ----"Some people enjoy the corporate life. Then again, some people enjoy nipple clamps." --- seen on an ad