[Zope] www.oswg.org runs Zope?

Jens Vagelpohl Jens@digicool.com
Wed, 19 Apr 2000 08:41:12 -0400


hi shane,

what you're "missing" is the fact that the superuser's name and password
are not hardcoded. it's your responsibility to use the zpasswd.py
utility in your zope root directory to change the name and password to
something hard to guess. but even if you do not change it, the passwords
generated during a zope install are random and not guessable.

concerning the fact that the "manage" suffix to an address is hardcoded,
there's always the possibility for those who run apache in front of zope
to write a rewrite rule which shuts out direct access to anything like
http://myurl/myfile/manage and a second one that maps any chosen
expression to the underlying zope "manage" pages, like
http://myurl/myfile/niceweathertoday .

jens

----

Jens Vagelpohl		jens@digicool.com
Software Engineer	      www.digicool.com
Digital Creations 	(888) 344-4332

Got Zope?

---- 
 

-----Original Message-----
From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of srl
Sent: Wednesday, April 19, 2000 07:34
To: J. Atwood
Cc: srl; zope@zope.org
Subject: Re: [Zope] www.oswg.org runs Zope?


Now, the fact that we can add /manage to any URL to edit the data seems
like a potential security hole. all it would take to crack a Zope
password
would be running a password guesser with user 'superuser'. Or am I
missing
something here?

srl

On Tue, 18 Apr 2000, J. Atwood wrote:

> http://www.oswg.org:8080/oswg/manage
> 
> 
> That is always a good test..
> 
> It is.. Squishdot.
> 
> J
> 
> > From: srl <slandrum@turing.csc.smith.edu>
> > Date: Tue, 18 Apr 2000 17:22:35 -0400 (EDT)
> > To: zope@zope.org
> > Subject: [Zope] www.oswg.org runs Zope?
> > 
> > www.oswg.org
> 
> 
> _______________________________________________

Shane Renee Landrum  
slandrum<@>cs.smith.edu    
----"Some people enjoy the corporate life.
    Then again, some people enjoy nipple clamps."  --- seen on an ad