[Zope] Major security flaw in Zope 2.3.2

Bill Anderson bill@libc.org
06 Jun 2001 18:15:46 -0600


On 06 Jun 2001 19:59:47 +0200, Jerome Alet wrote:
> On Wed, Jun 06, 2001 at 08:41:06AM -0500, Farrell, Troy wrote:
> > security system from the filesystem.  These passwords should not be
> > cleartext anymore than you would select the cleartext option for your
> > inituser or access file.
> 
> That's exactly what surprised me the most:
> 
> you can select an encryption method for the initial user's password, but all other
> passwords are stored unencrypted.
> 
> IMHO this is a trivial patch: We agree that passwords travel basically unencrypted over the wires,
> so we can't do anything there. However everytime we receive a password from the network, just encrypt
> it and compare it against the encrypted password which is stored in the ZODB.
> 
> Of course for every new user of every password change, store the password in an encrypted 
> form (MD5 will do).
> 
> The patch should be an one (or two) liner (although I've not verified) and should be transparent
> for everyone.
> 
You could probably pull the password encryption from ZMC. ZMC already defaults to encrpyted storage/comparing.