[Zope] Major security flaw in Zope 2.3.2
Jerome Alet
alet@unice.fr
Wed, 6 Jun 2001 19:59:47 +0200
On Wed, Jun 06, 2001 at 08:41:06AM -0500, Farrell, Troy wrote:
> security system from the filesystem. These passwords should not be
> cleartext anymore than you would select the cleartext option for your
> inituser or access file.
That's exactly what surprised me the most:
you can select an encryption method for the initial user's password, but all other
passwords are stored unencrypted.
IMHO this is a trivial patch: We agree that passwords travel basically unencrypted over the wires,
so we can't do anything there. However everytime we receive a password from the network, just encrypt
it and compare it against the encrypted password which is stored in the ZODB.
Of course for every new user of every password change, store the password in an encrypted
form (MD5 will do).
The patch should be an one (or two) liner (although I've not verified) and should be transparent
for everyone.
bye,
Jerome Alet