[Zope] Major security flaw in Zope 2.3.2
Oleg Broytmann
Oleg Broytmann <phd@phd.fep.ru>
Thu, 7 Jun 2001 00:07:20 +0400 (MSD)
On Wed, 6 Jun 2001, Steve Drees wrote:
> > > >Of course it would not help against a prying administrator. It's plain
> > > >simple to sniff the passwords from HTTP traffic.
> > >
> > > And that's why you shouldn't allow access to the management interface
> > > via HTTP. (I just wonder why there is a *separate* ZServer with SSL
> >
> > This is of not much help. Prying admin who already has access to
> > filesystem will just hack Zope and get passwords mailed to him, SSL or no
> > SSL - right from Zope.
>
> If you can't trust your admin. Get another admin.
If you trust your admin - why do you need to encrypt Zope passwords?
Oleg.
----
Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru
Programmers don't die, they just GOSUB without RETURN.