[Zope] Question about Zope and security

Tino Wildenhain tino at wildenhain.de
Thu Mar 30 01:03:33 EST 2006 

Cyrille Bonnet wrote:
> Hi there,
> 
> I have been telling all my clients about how great Zope is for security:
> fine-grained permissions, security framework, roles, etc.
> 
> Now, one of my clients has a security expert who took a close look at
> how Zope authenticates users. The results were not good.
> 
> The main problem is that Zope stores the username and password in a
> cookie in clear text (base64 encoded).

No, zope does not do that. There are userfolders and extensions
(like cookie crumbler) which do that. You can have any mechanism
you want.

> Even though it only happens in their internal network, my client wasn't
> too happy, because it makes them vulnerable to a man-in-the-middle attack.

So does it? With ssl layer?

> I know, the odds of that happening are low, but storing the username and
> password in clear text is clearly not best practice.

Sure you have to take care - but enabling some kind of digest auth
(below) isnt that hard - otoh, your password will be transfered
over the net in clear text in many cases - if you have a form
based login you will for sure transfer clear text username and
password. You could try javascript tricks to put digest like
authentication in a form based login, but thats not so easy and
bullet proof. And if you stress it too much you have great
security - but no users :-)
So if you are security concerned, just put an ssl-layer on
top of zope. Usually via apache mod_ssl, mod_proxy and mod_rewrite.
You can also use pound or squid.

> So, my question is: is there a way to secure Zope authentication?
> 
> I did find Dieter Mauer's DigestAuth product:
> http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth

Digest out - so your users browser support it, is a solution
and better then basic-auth. However you dont have a nice
login form and you cant logout.

> It looks good. I have used other produts from Dieter before and was very
> pleased with the quality of his code.
> 
> Now, have other people used it? Does it work with WebDAV? How secure is
> it (I am no security/encryption expert)?

WebDAV is just HTTP, so all you apply to it holds true for WebDAV
as well - beside the fact you cant have login forms. So basic auth
or digest auth can be used and can be secured via ssl.

> Also, if it is good, why is not part of default Zope??

Cookie auth isnt part of default zope either.

> Finally, a little side story: you know how in Windows XP, you can
> connect a drive to a WebDAV server? Well, if you install Service Pack 2,
> you can't use that feature to connect to Zope anymore. Interestingly
> enough, it seems that it is precisely because of that authentication
> vlunerability: Win XP SP2 refuses to connect to a WebDAV that doesn't at
> least encode the username/password in Digest authentication...
> 
Yes, MS never gets it right with official standards. You can patch
around to make it work with the windows of the day, but you might
need to change it next time again. However you can use 3rd party
products like WebDrive/TeamDrive which have been reported to work
flawlessy since the early days of zopes webdav support.

Kind regards
Tino

More information about the Zope mailing list