[Zope] Zope.org membership

mindlace mindlace@digicool.com
Mon, 22 May 2000 12:32:04 -0600


Graham Chiu wrote:
 
> I went there, clicked on the buttons, and got DNS errors.

This link should show you all the cookies you have at www.zope.org:

http://www.securityspace.com%2fexploit%2fexploit_1b.html%3fdomain==.www.zope.org/#exploit_1
 
> Well, you only have to save one half of a pair.  I would prefer you save
> the password.  The username I can remember :-)

Your username is publicly accessable from zope.org.  With your password,
if there's any way I can inferr your username- let's say the webmaster
grabbed the information while you were posting a comment on
zopeisevil.org- they can now do whatever you could do.

More to the point, with redirection and javascript, they can even make
you do it.  For zope.org membership as it is today, all they could do is
besmirch your good name in the community. In the future, as the things a
zope member can do expands, it could mess up more.

I will, however, look into other possibilities, like maybe your password
could be filled in server side, if some appropriate check can be made.

If you like, drop this issue in the Tracker, http://www.zope.org/Tracker
, so that you'll be updated when its status changes.

> >If you're using IE 5 or Mozilla (NS 6) you can always tell it to
> >remember what you've entered into the password field.
> 
> Doesn't offer to save it for me on IE5. If it did, I wouldn't be asking.

Hmm.  It harasses me about it all the time.  Perhaps I'm using IE 5.5
(can't remember, I'm back in linux.)

~ethan