[Zope] Major security flaw in Zope 2.3.2

Oleg Broytmann Oleg Broytmann <phd@phd.fep.ru>
Thu, 7 Jun 2001 00:32:17 +0400 (MSD)


On Wed, 6 Jun 2001, Ragnar Beer wrote:
> >>  And that's why you shouldn't allow access to the management interface
> >>  via HTTP. (I just wonder why there is a *separate* ZServer with SSL
> >
> >    This is of not much help. Prying admin who already has access to
> >filesystem will just hack Zope and get passwords mailed to him, SSL or no
> >SSL - right from Zope.
> >
> >Oleg.
>
> Absolutely right. I wasn't referring to sniffing admins here but to
> sending plaintext passwords over HTTP in general.

   This has nothing with encryprint passwords in ZODB. You want - and I
completeley agree - that we need encrypted browser<=>server sessions...
well there is Apache+SSL.

Oleg.
----
     Oleg Broytmann     http://www.zope.org/Members/phd/     phd@phd.pp.ru
           Programmers don't die, they just GOSUB without RETURN.