[Zope-dev] Lax 'manage_access' practice?
Tres Seaver
tseaver@palladion.com
Fri, 29 Oct 1999 11:42:57 -0500
I was tweaking with adding some of the functionality of 'manage_access' to a
custom form/method, and discovered what seems to be a hole in it: the form
embeds the edited user's password (in plaintext) as the text of the
password/confirm fields (either text or hidden fields). In either case, "View |
Page Source" shows the plaintext.
"Normally", administrators are not be able to see users' passwords, but can only
reset them. Is this a real problem, or is BasicAuthentication so weak that we
shouldn't care, anyway?
Tres.
--
=========================================================
Tres Seaver tseaver@palladion.com 713-523-6582
Palladion Software http://www.palladion.com