19 Apr
2000
19 Apr
'00
2:30 p.m.
srl wrote Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here?
So put it behind Apache, and either strip out all basic auth (and make sure user auth uses cookies) or block .*/manage.* Anthony -- Anthony Baxter <anthony@interlink.com.au> It's never too late to have a happy childhood.