[Zope] Major security flaw in Zope 2.3.2
Oleg Broytmann
Oleg Broytmann <phd@phd.fep.ru>
Thu, 7 Jun 2001 00:32:17 +0400 (MSD)
On Wed, 6 Jun 2001, Ragnar Beer wrote:
> >> And that's why you shouldn't allow access to the management interface
> >> via HTTP. (I just wonder why there is a *separate* ZServer with SSL
> >
> > This is of not much help. Prying admin who already has access to
> >filesystem will just hack Zope and get passwords mailed to him, SSL or no
> >SSL - right from Zope.
> >
> >Oleg.
>
> Absolutely right. I wasn't referring to sniffing admins here but to
> sending plaintext passwords over HTTP in general.
This has nothing with encryprint passwords in ZODB. You want - and I
completeley agree - that we need encrypted browser<=>server sessions...
well there is Apache+SSL.
Oleg.
----
Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru
Programmers don't die, they just GOSUB without RETURN.