[Zope] www.oswg.org runs Zope?
John Edstrom
edstrom@Poopsie.hmsc.orst.edu
Wed, 19 Apr 2000 09:43:16 -0700 (PDT)
Anthony Baxter
>
>
> >>> srl wrote
> > Now, the fact that we can add /manage to any URL to edit the data seems
> > like a potential security hole. all it would take to crack a Zope password
> > would be running a password guesser with user 'superuser'. Or am I missing
> > something here?
>
> So put it behind Apache, and either strip out all basic auth (and make
> sure user auth uses cookies) or block .*/manage.*
restricting access by ip number also helps.
Its worth forcing management over to https (things like
account/password info for SQL connections shouldn't in plain text,
IMO). This can be done with a rewrite rule; redirect all http://.../manage
-> https://.../manage.
wasn't there a SSL-ified Medusa released a few months ago? I don't
remember the name or source. I didn't look into it at the time
(fastcgi works fine over https), but it might be just what some people
are looking for.
>
> Anthony
> --
> Anthony Baxter <anthony@interlink.com.au>
> It's never too late to have a happy childhood.
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>
--
John Edstrom | edstrom @ slugo.hmsc.orst.edu
http://bubo.hmsc.orst.edu/~edstrom
"Lurker" at BioMOO (bioinfo.weizmann.ac.il:8888)
Hatfield Marine Science Center
2030 S. Marine Science Drive
Newport, Oregon 97365-5296
wk: (541) 867 0197
fx: (541) 867 0138