[Zope] Major security flaw in Zope 2.3.2

[Evan Simpson]

From: "Jerome Alet" <alet@unice.fr>
> Of course for every new user of every password change, store the password
in an encrypted
> form (MD5 will do).
>
> The patch should be an one (or two) liner (although I've not verified) and
should be transparent
> for everyone.

Keep in mind that there's a price to be paid, here. Since HTTP is
connectionless, interacting with Zope requires re-authenticating on every
request.  If you're going to have a lot of requests that require
authentication, you want it to be computationally inexpensive.  On the other
hand, if the only people logging in are a few developers, it's not a
problem.

Cheers,

Evan @ digicool & 4-am