Hi, See http://lists.zope.org/pipermail/zope/2000-February/020074.html for an example using SiteAcces to direct all /manage activity over https. hth, -- Marcus
-----Original Message----- From: srl [mailto:slandrum@turing.csc.smith.edu] Sent: 19 April 2000 13:55 To: Petru Paler Cc: srl; J. Atwood; zope@zope.org Subject: Re: [Zope] www.oswg.org runs Zope?
On Wed, 19 Apr 2000, Petru Paler wrote:
On Wed, Apr 19, 2000 at 07:34:28AM -0400, srl wrote:
Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here?
Yes. If you are security-conscious you change the superuser account name and choose a very hard to guess password.
okay, that means that instead of it taking N tries to hack a password, it takes N^2 tries. *shrug* a little better.
is there a way to run all the /manage pages behind SSL, so they're less prone to password sniffing? or to rename /manage to something a little more obscure? it just seems to me that the /manage URLs are just waiting to be exploited by some cracker.
srl, picking security nits ---- Shane Renee Landrum slandrum<@>cs.smith.edu
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (1)
-
Marcus Collins