[Zope] Major security flaw in Zope 2.3.2

Oleg Broytmann Oleg Broytmann <phd@phd.fep.ru>
Thu, 7 Jun 2001 00:07:20 +0400 (MSD)


On Wed, 6 Jun 2001, Steve Drees wrote:
> > > >Of course it would not help against a prying administrator. It's plain
> > > >simple to sniff the passwords from HTTP traffic.
> > >
> > > And that's why you shouldn't allow access to the management interface
> > > via HTTP. (I just wonder why there is a *separate* ZServer with SSL
> >
> >    This is of not much help. Prying admin who already has access to
> > filesystem will just hack Zope and get passwords mailed to him, SSL or no
> > SSL - right from Zope.
>
> If you can't trust your admin. Get another admin.

   If you trust your admin - why do you need to encrypt Zope passwords?

Oleg.
----
     Oleg Broytmann     http://www.zope.org/Members/phd/     phd@phd.pp.ru
           Programmers don't die, they just GOSUB without RETURN.