[ZCM] [ZC] 1772/ 2 Reject "Cleartext passwords in Data.fs"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Thu May 5 10:42:33 EDT 2005 

Issue #1772 Update (Reject) "Cleartext passwords in Data.fs"
 ** Security Related ** (Public)
 Status Rejected, Zope/bug critical
To followup, visit:
  http://www.zope.org/Collectors/Zope/1772

==============================================================
= Reject - Entry #2 by ajung on May 5, 2005 10:42 am

 Status: Pending => Rejected

a) the standard user folder *supports* encryption of passwords (see Properties tab) - although disabled by default
b) if unauthorized people have access to the Data.fs than this is not a Zope problem but a problem of the administrators controlling the access to the filesystem


________________________________________
= Request - Entry #1 by Anonymous User on May 5, 2005 10:32 am

Data.fs containts all passwords for accessing the Zope server in cleartext.

I consider storing cleartext passwords in Data.fs harmfull for two reasons: 

a) as the passwords can be easily read from Data.fs unauthorized people could get access to the Zope server (provided that they have read access to Data.fs)
b) many users tend to minimize the number of passwords in their life and might reuse a password for Zope access which could be compromised with this method.


Anyone with read access to Data.fs can easily access the cleartext passwords of the users. Finding the passwords in the binary Data.fs file is very easy, for instance the standard unix 'strings' utility can be used

To reproduce and confirm the security hole I performed the following steps:

1) download and install latest Zope release
2) at the end of the installation add an administrator called 'administrator' with password 'topsecret' 
3) start Zope
4) add an user named 'normaluser' with password 'theuserpassword'
5) stop Zope

4)

cd $ZOPEDIRECTORY
strings 'var/Data.fs' | less
a quick search for the username 'normaluser' yields:


normaluserq
q^L(h
Userq
ttQus.
AccessControl.Userq
Userq
Nt.}q
theuserpasswordq

The password of the administrator seems to be securly stored, search the strings of Data.fs for administrator yield:

administratorq
AccessControl.Userq
Userq
ttQss.
AccessControl.Userq
Userq
Nt.}q
U!{SHA}EiAf5eICiDvUX8l+hzZuoFGD4OQ=q

The last line look to me, as if the password is stored only in SHA encrypted form. An old version of Zope 2.7.3. which I have still running, stores even the administrator password in cleartext in Data.fs 

Best regards,
  Christian Plessl
==============================================================

More information about the Zope-Collector-Monitor mailing list