[Zope] Major security flaw in Zope 2.3.2
Maarten Slaets
maarten.slaets@neolabs.be
Wed, 06 Jun 2001 18:19:01 +0200
Ragnar Beer wrote:
>
> snip
> >Of course it would not help against a prying administrator. It's plain
> >simple to sniff the passwords from HTTP traffic.
> >
> >Regards, Frank
> >
>
> And that's why you shouldn't allow access to the management interface
> via HTTP. (I just wonder why there is a *separate* ZServer with SSL
> capabilities and why SSL isn't simply integrated into the standard
> ZServer. Does anybody know?) I simple 'Deny from all' all accesses
> to any url containing 'manage' on port 80 so that noone accidentally
> sends a password in cleartext.
perhaps a more user friendly solution would be to redirect/rewrite/...
:80/manage to :443/manage
I don't know by heart how to do this in apache, but if I find it I'll
post it to the list.
>
> Ragnar
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )