[Zope] www.oswg.org runs Zope?

John Edstrom edstrom@Poopsie.hmsc.orst.edu
Wed, 19 Apr 2000 09:43:16 -0700 (PDT)


Anthony Baxter
> 
> 
> >>> srl wrote
> > Now, the fact that we can add /manage to any URL to edit the data seems
> > like a potential security hole. all it would take to crack a Zope password
> > would be running a password guesser with user 'superuser'. Or am I missing
> > something here?
> 
> So put it behind Apache, and either strip out all basic auth (and make
> sure user auth uses cookies) or block .*/manage.*

restricting access by ip number also helps.

Its worth forcing management over to https (things like
account/password info for SQL connections shouldn't in plain text,
IMO).  This can be done with a rewrite rule; redirect all http://.../manage
-> https://.../manage.


wasn't there a SSL-ified Medusa released a few months ago?  I don't
remember the name or source.  I didn't look into it at the time
(fastcgi works fine over https), but it might be just what some people
are looking for.

> 
> Anthony
> -- 
> Anthony Baxter     <anthony@interlink.com.au>   
> It's never too late to have a happy childhood.
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
> 


-- 
 John Edstrom | edstrom @ slugo.hmsc.orst.edu

 http://bubo.hmsc.orst.edu/~edstrom
 "Lurker" at BioMOO (bioinfo.weizmann.ac.il:8888)

 Hatfield Marine Science Center
 2030 S. Marine Science Drive
 Newport, Oregon     97365-5296
 wk: (541) 867 0197
 fx: (541) 867 0138