[Zope] Major security flaw in Zope 2.3.2

Ragnar Beer rbeer@uni-goettingen.de
Wed, 6 Jun 2001 22:13:55 +0200


>On Wed, 6 Jun 2001, Ragnar Beer wrote:
>>  >Of course it would not help against a prying administrator. It's plain
>>  >simple to sniff the passwords from HTTP traffic.
>>  >
>>  >Regards, Frank
>>  >
>>
>>  And that's why you shouldn't allow access to the management interface
>>  via HTTP. (I just wonder why there is a *separate* ZServer with SSL
>
>    This is of not much help. Prying admin who already has access to
>filesystem will just hack Zope and get passwords mailed to him, SSL or no
>SSL - right from Zope.
>
>Oleg.

Absolutely right. I wasn't referring to sniffing admins here but to
sending plaintext passwords over HTTP in general.

Ragnar