[Zope] Major security flaw in Zope 2.3.2

[Ragnar Beer]

snip
>Of course it would not help against a prying administrator. It's plain
>simple to sniff the passwords from HTTP traffic.
>
>Regards, Frank
>

And that's why you shouldn't allow access to the management interface
via HTTP. (I just wonder why there is a *separate* ZServer with SSL
capabilities and why SSL isn't simply integrated into the standard
ZServer. Does anybody know?) I simple 'Deny from all' all accesses
to any url containing 'manage' on port 80 so that noone accidentally
sends a password in cleartext.

Ragnar