DC's position has always been that if you can access your boxes filesystem, you can access Zope. For a web application server this seems reasonable to me and has never concerned me, if anyone gets access to my filesystem on IIS, im screwed as well. Sending passwords over HTTP and using plain text to store them is a little more of a concern IMHO. By the way, probably the easiest way to read passwords is to install Shanes wxPython widget and browse the passwords in a GUI :) ----- Original Message ----- From: "Jerome Alet" <alet@unice.fr> To: <zope@zope.org> Sent: Wednesday, June 06, 2001 5:44 AM Subject: [Zope] Major security flaw in Zope 2.3.2
Hi,
first I'm sorry if this is a well known problem.
Anybody who can read the file Data.fs (or Data.fs.old) can also do whatever he wants on your ZODB.
explanation: it seems that Zope 2.3.0 and 2.3.2 store passwords in clear text in the ZODB !!!
The following is only partially tested, but should work:
Say someone has a local unix account on your Zope server (don't know for NT, but I think the problem is still there), and has readonly access to the Zope/var/Data.fs file.
Then he just installs Zope on his own machine, and put the stealed Data.fs file there, and use the emergency user facility to access to it.
Then he just have to put an External method in the root which does:
--- CUT --- for username in self.acl_users.getUserNames() : user = self.acl_users.getUser(newusername) clearpassword = user._getPassword() # do something with username/clearpassword --- CUT ---
The user has now a list of username/passwords to access YOUR ZODB's root from everywhere, and can do whatever he wants.
Setting rw------- permissions on Data.fs may help, but not in all cases:
if Data.fs is owned by nobody.nogroup, Apache is installed on the same machine, and the user can run his own cgi-scripts (most ISPs I suppose), then by default the user's CGI scripts will run as nobody too, allowing him to read Data.fs during his own CGI execution, and copy it wherever he wants during this time.
Solutions:
* make Data.fs and Data.fs.old only readable by a user every other user on the system can't run commands as.
* But the best to do is:
Encrypt all passwords in the ZODB.
hoping this helps.
bye,
Jerome Alet
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )