[Zope] Major security flaw in Zope 2.3.2
Ragnar Beer
rbeer@uni-goettingen.de
Wed, 6 Jun 2001 22:13:55 +0200
>On Wed, 6 Jun 2001, Ragnar Beer wrote:
>> >Of course it would not help against a prying administrator. It's plain
>> >simple to sniff the passwords from HTTP traffic.
>> >
>> >Regards, Frank
>> >
>>
>> And that's why you shouldn't allow access to the management interface
>> via HTTP. (I just wonder why there is a *separate* ZServer with SSL
>
> This is of not much help. Prying admin who already has access to
>filesystem will just hack Zope and get passwords mailed to him, SSL or no
>SSL - right from Zope.
>
>Oleg.
Absolutely right. I wasn't referring to sniffing admins here but to
sending plaintext passwords over HTTP in general.
Ragnar