[Zope] Major security flaw in Zope 2.3.2

Steve Drees drees@the-bridge.net
Wed, 6 Jun 2001 15:03:46 -0500


> > >Of course it would not help against a prying administrator. It's plain
> > >simple to sniff the passwords from HTTP traffic.
> >
> > And that's why you shouldn't allow access to the management interface
> > via HTTP. (I just wonder why there is a *separate* ZServer with SSL
> 
>    This is of not much help. Prying admin who already has access to
> filesystem will just hack Zope and get passwords mailed to him, SSL or no
> SSL - right from Zope.

If you can't trust your admin. Get another admin.