[Zope] Major security flaw in Zope 2.3.2

Ragnar Beer rbeer@uni-goettingen.de
Wed, 6 Jun 2001 16:02:11 +0200


snip
>Of course it would not help against a prying administrator. It's plain
>simple to sniff the passwords from HTTP traffic.
>
>Regards, Frank
>

And that's why you shouldn't allow access to the management interface
via HTTP. (I just wonder why there is a *separate* ZServer with SSL
capabilities and why SSL isn't simply integrated into the standard
ZServer. Does anybody know?) I simple 'Deny from all' all accesses
to any url containing 'manage' on port 80 so that noone accidentally
sends a password in cleartext.

Ragnar