[Zope] Major security flaw in Zope 2.3.2

Jerome Alet alet@unice.fr
Thu, 7 Jun 2001 09:10:09 +0200 (MET DST)


On Wed, 6 Jun 2001, Evan Simpson wrote:

> From: "Jerome Alet" <alet@unice.fr>
> > Of course for every new user of every password change, store the password
> in an encrypted
> > form (MD5 will do).
> >
> > The patch should be an one (or two) liner (although I've not verified) and
> should be transparent
> > for everyone.
> 
> Keep in mind that there's a price to be paid, here. Since HTTP is
> connectionless, interacting with Zope requires re-authenticating on every
> request.  If you're going to have a lot of requests that require
> authentication, you want it to be computationally inexpensive.  On the other
> hand, if the only people logging in are a few developers, it's not a
> problem.

You're right.

so why not make it an option (not reversable) which would default to the
safe "passwordhash=YES", and which would allow computational intensive
sites (many authenticated requests a day) to disable it knowingly after
having properly secured access to Data.fs AND Data.fs.old

This would also prevent any problem with the hypotethical existing
products which expect unencrypted passwords, until they are corrected.

bye,

Jerome Alet