[Zope] Major security flaw in Zope 2.3.2
Fred Yankowski
fred@ontosys.com
Thu, 7 Jun 2001 09:20:56 -0500
On Thu, Jun 07, 2001 at 12:00:44AM +0500, Hannu Krosing wrote:
> Afaik, the only bad behaviour from hashing (_not_ encrypting) the
> passwords would be the impossibility to use password verification
> methods that don't send cleartext passwords over the wire
> (challenge-response password exchange).
The "PHPlib" package for PHP provides a challenge-response
authentication scheme where the browser runs a javascript function to
hash the user-supplied password value before sending it as form data.
If javascript is disabled or not available, the clear-text password is
sent instead and the value hashed at the server to match against the
stored value.
--
Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312
Principal Consultant www.OntoSys.com fax: +1.630.879.1370
OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA