[Zope-dev] Security glitch on user-editing form

Alexander Staubo alex@mop.no
Tue, 11 May 1999 15:48:09 +0200


I just found that Zope presents the user-editing form (manage_users)
with the password in plaintext. That's a bit crude.

The HTML code that Zope produces is like this:

...
<TR>
<TD VALIGN="TOP">
<STRONG>Password</STRONG>
</TD>
<TD VALIGN="TOP">
<INPUT TYPE="PASSWORD" NAME="password" VALUE="cucumber" SIZE="40">
</TD>
</TR>
...

This is a security problem -- in two ways: Firstly, the password is in
the HTML, and secondly, the number of characters in the password can be
interpreted by the user.

Also it's quite redundant. There's no reason for Zope to pass the actual
password. Zope should give the HTML thus:

<INPUT TYPE="PASSWORD" NAME="password" VALUE="123456789" SIZE="40">

If the user posts changes without changing the password, Zope can detect
if the password is receives is "123456789" and ignore it. A better dummy
password should perhaps be chosen to avoid clashing with potential
real-world passwords.

Alternatively, a check box could be provided requiring the user to check
the box in order to change password.

Just my 2 cents' worth. The future obviously is in public-key
encryption, but until Zope gets it, plaintext passwords ought to be
secured as tightly as possible.

Alexander Staubo
http://www.mop.no/~alex/
mailto:redhand@mop.no