[Zope] Major security flaw in Zope 2.3.2

Hannu Krosing hannu@tm.ee
Thu, 07 Jun 2001 17:06:55 +0200


Fred Yankowski wrote:
> 
> On Thu, Jun 07, 2001 at 12:00:44AM +0500, Hannu Krosing wrote:
> > Afaik, the only bad behaviour from hashing (_not_ encrypting) the
> > passwords would be the impossibility to use password verification
> > methods that don't send cleartext passwords over the wire
> > (challenge-response password exchange).
> 
> The "PHPlib" package for PHP provides a challenge-response
> authentication scheme where the browser runs a javascript function to
> hash the user-supplied password value before sending it as form data.
> If javascript is disabled or not available, the clear-text password is
> sent instead and the value hashed at the server to match against the
> stored value.

Just sending a hashed value does not make it any more secure, as said
hashed 
value is as easy to sniff as plaintext.


to have a real challenge response, something like the following must be
done:

SERVER: generates a random string RS and sends RS to client

CLIENT: MD5(password+RS) and sends this back to server

SERVER: compares hash sent by client to locally computed
MD5(password+RS) 

for this to work the server needs to know the plaintext password 


--------------
Hannu