[ZCM] [ZC] 255/ 2 Reject "FTP login: wrong username/password will return "230 Login successful""

Collector: Zope Bugs and Patches ... zope-coders@zope.org
Thu, 28 Feb 2002 17:58:02 -0500 

Issue #255 Update (Reject) "FTP login: wrong username/password will return "230 Login successful""
 Status Rejected, ZServer/bug medium
To followup, visit:
  http://collector.zope.org/Zope/255

==============================================================
= Reject - Entry #2 by ajung on Feb 28, 2002 5:57 pm

 Status: Pending => Rejected

Zope performs security checks for every object access but not
during the FTP login process. Login is permitted with *any
credentials* because of internals of the Zope security
machinery. 

Because this issues has been reported multiples times in the past.
So please check the collector or the Zope mailing list archives
for a detailed discussion of this issue.

- aj


________________________________________
= Request - Entry #1 by Anonymous User on Feb 28, 2002 5:48 pm

When logging in via FTP, entering any string as username or password will yield a "230 Login successful". While I can see why (an anonymous user might be allowed to connect via FTP), this is a problem for the built-in FTP client in Windows (2000/XP), i.e. when trying to create a "Network Place" (in "My Network Places"). This will not work without specifying the password in the actual URL (Windows will not query the user for the password).

Using ethereal will reveal that Windows, after sending the command "USER <username>" will send "PASS", without specifying a password. The expected response here is "530 Unauthorized" (if a password is required), and if such a reply is received, Windows will prompt the user for a password an try to login again. Zope however will reply "230 Login successful", which will lead Windows to believe that no password is required, trying to continue with file listing etc, which will fail.

The only way to connect to Zope via Windows "Network Place"-method is to specify both user name and password in the url (e.g. ftp://<username>:<password>@<hostname>/). Even if this works, the password is displayed in clear text in Windows Explorer and while connected, which is clearly inappropriate.
==============================================================