[Zope-CMF] CMFDefault register method & security

Andrew Sawyers andrew@digicool.com
Wed, 18 Jul 2001 12:41:35 -0400


Well, I guess that's fine since username and password is being passed over
the wire in the clear anyhow.  I don't see much difference whether it's in
the url or in a hidden form.  In either case an able person is going to get
them if they want them; I guess the log issue is just makes another area
where someone could exploit, thus I guess putting it into a post is the
better of two evils.  What about encoding them into a cookie, decoding them
on the server side?  Still crackable, but would take slightly more effort
and exclude script kiddies??
Andrew

> -----Original Message-----
> From: shane@localhost.localdomain [mailto:shane@localhost.localdomain]On
> Behalf Of Shane Hathaway
> Sent: Tuesday, July 17, 2001 12:31 PM
> To: Andrew Sawyers
> Cc: zope-cmf@zope.org
> Subject: Re: [Zope-CMF] CMFDefault register method & security
>
>
> Andrew Sawyers wrote:
> > Jens and I both think it's a bug; I couldn't come up with an
> easy solution;
> > all attempts at passing this through failed.  If you've got a
> solution, send
> > it on over.  Otherwise this is going to wait until one of us
> can devote more
> > time to it.  We've both got other things on our plate at the moment.
>
> Use a form with hidden fields.  Something like this (not looking at the
> code):
>
> <form action="logged_in" method="POST">
>   <input type="hidden" name="__ac_name" value="&dtml-name;" />
>   <input type="hidden" name="__ac_password" value="&dtml-password;" />
>   <input type="submit" value="Log in now" />
> </form>
>
> The disadvantage of passing a password in a URL is that it might show up
> in an HTTP log, which doesn't matter unless you're using HTTPS.  The
> hidden fields solution closes that hole.
>
> Shane
>
> > > -----Original Message-----
> > > From: zope-cmf-admin@zope.org
> [mailto:zope-cmf-admin@zope.org]On Behalf
> > > Of Chris Withers
> > > Sent: Tuesday, July 17, 2001 4:00 AM
> > > To: jens@digicool.com
> > > Cc: zope-cmf@zope.org
> > > Subject: [Zope-CMF] CMFDefault register method & security
> > >
> > >
> > > Jens,
> > >
> > > Did anyone have any thoughts about this bit of the bug?
> > >
> > > > > Also, should the registered method really contain a url which
> > > has both the
> > > > > username and password of a newly generated member in it?
> > > Seems like a bit of a
> > > > > security hole to me :-S
> > >
> > > cheers,
> > >
> > > Chris
>