Hi, probably the HelpSys object shouldn't be available by default to non-authenticated users, because it gives too much information on the currently installed products.
access any Zope site this way : http://your.zope.site/HelpSys and you'll learn what products are available on the server. This can't lead to a direct compromise, but this gives way too much information to anonymous users IMHO. Tested today on several low and very high profile sites. bye, Jerome Alet _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )