[Zope] some confusion on ftp security.

Patrick patrick@eahd.or.ug
Thu, 22 Mar 2001 13:28:01 +0300 (EAT)


Thanks for that Chris, but isn't that quite risky?
What I mean is that Medusa should not allow unauthenticated users to login
at all because though one is not allowed to do anything as yet, you never
know when someone will find a hack round that and then you end up with a
denial of service attack or something??

...Or am I just being over-paraniod :-(
?


On Thu, 22 Mar 2001, Chris Withers wrote:

>
> Medusa's FTP will let you login with _any_ username and password, IIRC (a bug
> IMHO) but you can only _do_ anything if a Zope user object exists with that
> username _and_ it has the rights to do what you want to do.
>
> Almost related, I've been havign trouble FTP'ing into a lot of our Zope
> instances with ange-ftp recently. Basically, login goes fine, but then it just
> sits there saying:
>
> Listing.... /chris@localhost 8021:/test/...
>
> ...where test si a DTML method.
>
> any ideas?
>