[Zope] Major security flaw in Zope 2.3.2
Fred Yankowski
fred@ontosys.com
Thu, 7 Jun 2001 10:15:21 -0500
On Thu, Jun 07, 2001 at 05:06:55PM +0200, Hannu Krosing wrote:
> Just sending a hashed value does not make it any more secure, as
> said hashed value is as easy to sniff as plaintext.
Sorry, I over-simplified my description of the PHPlib scheme.
Server:
Generate new challenge value.
Send login form with challenge value as value of hidden form field.
Client:
Collect username and password on form.
If Javascript enabled, create MD5 hash of password value, create
MD5 hash from concatenation of username, MD5-hashed password, and
challenge. Save latter hash value in hidden form field.
Server:
If hidden form field has a value, create MD5 hash from username,
password (from database, stored already MD5-hashed), and
challenge; compare that value against the one sent by the client
to authenticate.
If hidden form field has no hash value (client didn't run
javascript code), do MD5 hash on clear-text password sent by
client and compare against database value for given username to
authenticate.
--
Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312
Principal Consultant www.OntoSys.com fax: +1.630.879.1370
OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA