srl wrote Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here?
So put it behind Apache, and either strip out all basic auth (and make sure user auth uses cookies) or block .*/manage.* Anthony -- Anthony Baxter <anthony@interlink.com.au> It's never too late to have a happy childhood.
Anthony Baxter
srl wrote Now, the fact that we can add /manage to any URL to edit the data seems like a potential security hole. all it would take to crack a Zope password would be running a password guesser with user 'superuser'. Or am I missing something here?
So put it behind Apache, and either strip out all basic auth (and make sure user auth uses cookies) or block .*/manage.*
restricting access by ip number also helps. Its worth forcing management over to https (things like account/password info for SQL connections shouldn't in plain text, IMO). This can be done with a rewrite rule; redirect all http://.../manage -> https://.../manage. wasn't there a SSL-ified Medusa released a few months ago? I don't remember the name or source. I didn't look into it at the time (fastcgi works fine over https), but it might be just what some people are looking for.
Anthony -- Anthony Baxter <anthony@interlink.com.au> It's never too late to have a happy childhood.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- John Edstrom | edstrom @ slugo.hmsc.orst.edu http://bubo.hmsc.orst.edu/~edstrom "Lurker" at BioMOO (bioinfo.weizmann.ac.il:8888) Hatfield Marine Science Center 2030 S. Marine Science Drive Newport, Oregon 97365-5296 wk: (541) 867 0197 fx: (541) 867 0138
participants (2)
-
Anthony Baxter -
John Edstrom