[Zope] www.oswg.org runs Zope?

srl slandrum@turing.csc.smith.edu
Wed, 19 Apr 2000 07:54:56 -0400 (EDT)


On Wed, 19 Apr 2000, Petru Paler wrote:

> On Wed, Apr 19, 2000 at 07:34:28AM -0400, srl wrote:
> > Now, the fact that we can add /manage to any URL to edit the data seems
> > like a potential security hole. all it would take to crack a Zope password
> > would be running a password guesser with user 'superuser'. Or am I missing
> > something here?
> 
>    Yes. If you are security-conscious you change the superuser account name
> and choose a very hard to guess password.

okay, that means that instead of it taking N tries to hack a password, it
takes N^2 tries. *shrug* a little better. 

is there a way to run all the /manage pages behind SSL, so they're less
prone to password sniffing? or to rename /manage to something a little
more obscure? it just seems to me that the /manage URLs are just waiting
to be exploited by some cracker. 


srl, picking security nits
----
Shane Renee Landrum  
slandrum<@>cs.smith.edu