[Zope] Major security flaw in Zope 2.3.2
Jerome Alet
alet@unice.fr
Wed, 6 Jun 2001 20:49:14 +0200
On Wed, Jun 06, 2001 at 02:22:28PM -0400, Brian Lloyd wrote:
> http://dev.zope.org/Wikis/DevSite/Proposals/EncryptedUserfolderPasswords
I didn't know that.
> It is a little more than a 2 or 3 line patch; please read what's
> already there, add your comments, help us to work out the
> conversion issues, and help us get a sense of priority for this.
I'll try to give it a look.
> It is rather dispiriting to see a "shocking major security flaw!"
> thread about something that has been quite visible in the proposals
> area for nearly 6 months. :(
Sorry, I understand your feelings. I was so shocked to discover this
that I've posted in a too emotional spirit I suppose.
The very disturbing thing is the fact that the inituser file is encrypted,
so I was confident that all other passwords were encrypted.
However this problem doesn't need another 6 months or so for a solution.
> Please let me know if you have ideas for improvements we can make
> to the fishbowl to encourage more people to use it.
Yes, as Oleg would probably say: put all this in a mailing list !
bye,
Jerome Alet