[Zope] Major security flaw in Zope 2.3.2
Joachim Werner
joe@iuveno-net.de
Wed, 6 Jun 2001 19:57:02 +0200
> Yes: you miss that after having "walked" into your own copy of a stealed
Data.fs, you
> know all the password which will allow you to deface the original site
putting there
> your own index_html saying "nice" things about you on the frontpage...
You are right with this. However, it's funny how people think different: We
are mainly building intranets, and our customers say: "It's not that much of
a problem if the site is down from time to time, but absolutely nobody
should get to the data if not authorized to do so."
If you mainly think of public websites, the priorities are totally
different: Uptime is important, and nobody should be able to modifiy the
original data, i.e. deface the site or so. The data is publicly available
anyway, so getting read access to it is not considered a problem ...
> > First of all, I don't think the password issue really IS an issue. I
mean,
> > as soon as I have read access to an Apache's data directory, I also can
copy
> > it. You just should not be able to come that far ...
>
> Yes, you can copy it, but not modify it, see above.
see above ...
> However this is just a matter of "the good way to do it", and "the good
way to do it" regarding
> passwords storing is to store them in an encrypted form.
I am really not against encrypted passwords. DC should implement this soon.
AFAIK the only reason for passwords not being encrypted yet was that the
encryption modules needed were not available for all platforms or so.
Joachim