[Zope] Major security flaw in Zope 2.3.2

Jerome Alet alet@unice.fr
Wed, 6 Jun 2001 20:49:14 +0200


On Wed, Jun 06, 2001 at 02:22:28PM -0400, Brian Lloyd wrote:
> http://dev.zope.org/Wikis/DevSite/Proposals/EncryptedUserfolderPasswords

I didn't know that.

> It is a little more than a 2 or 3 line patch; please read what's
> already there, add your comments, help us to work out the 
> conversion issues, and help us get a sense of priority for this.

I'll try to give it a look.

> It is rather dispiriting to see a "shocking major security flaw!" 
> thread about something that has been quite visible in the proposals 
> area for nearly 6 months. :(

Sorry, I understand your feelings. I was so shocked to discover this
that I've posted in a too emotional spirit I suppose.

The very disturbing thing is the fact that the inituser file is encrypted,
so I was confident that all other passwords were encrypted.

However this problem doesn't need another 6 months or so for a solution.
 
> Please let me know if you have ideas for improvements we can make 
> to the fishbowl to encourage more people to use it.

Yes, as Oleg would probably say: put all this in a mailing list !

bye,

Jerome Alet