[Zope] Major security flaw in Zope 2.3.2
Hannu Krosing
hannu@tm.ee
Thu, 07 Jun 2001 17:06:55 +0200
Fred Yankowski wrote:
>
> On Thu, Jun 07, 2001 at 12:00:44AM +0500, Hannu Krosing wrote:
> > Afaik, the only bad behaviour from hashing (_not_ encrypting) the
> > passwords would be the impossibility to use password verification
> > methods that don't send cleartext passwords over the wire
> > (challenge-response password exchange).
>
> The "PHPlib" package for PHP provides a challenge-response
> authentication scheme where the browser runs a javascript function to
> hash the user-supplied password value before sending it as form data.
> If javascript is disabled or not available, the clear-text password is
> sent instead and the value hashed at the server to match against the
> stored value.
Just sending a hashed value does not make it any more secure, as said
hashed
value is as easy to sniff as plaintext.
to have a real challenge response, something like the following must be
done:
SERVER: generates a random string RS and sends RS to client
CLIENT: MD5(password+RS) and sends this back to server
SERVER: compares hash sent by client to locally computed
MD5(password+RS)
for this to work the server needs to know the plaintext password
--------------
Hannu