Hi,
probably the HelpSys object shouldn't be available by default
to non-authenticated users, because it gives too much information
on the currently installed products.
access any Zope site this way :
http://your.zope.site/HelpSys
and you'll learn what products are available on the server.
This can't lead to a direct compromise, but this gives way
too much information to anonymous users IMHO.
Tested today on several low and very high profile sites.
bye,
Jerome Alet
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
