[Zope] Major security flaw in Zope 2.3.2
Jerome Alet
alet@unice.fr
Wed, 6 Jun 2001 14:44:10 +0200
Hi,
first I'm sorry if this is a well known problem.
Anybody who can read the file Data.fs (or Data.fs.old) can also do
whatever he wants on your ZODB.
explanation: it seems that Zope 2.3.0 and 2.3.2 store passwords in clear text
in the ZODB !!!
The following is only partially tested, but should work:
Say someone has a local unix account on your Zope server (don't know for NT,
but I think the problem is still there), and has readonly access to
the Zope/var/Data.fs file.
Then he just installs Zope on his own machine, and put the stealed Data.fs
file there, and use the emergency user facility to access to it.
Then he just have to put an External method in the root which does:
--- CUT ---
for username in self.acl_users.getUserNames() :
user = self.acl_users.getUser(newusername)
clearpassword = user._getPassword()
# do something with username/clearpassword
--- CUT ---
The user has now a list of username/passwords to access YOUR ZODB's root from
everywhere, and can do whatever he wants.
Setting rw------- permissions on Data.fs may help, but not in all cases:
if Data.fs is owned by nobody.nogroup, Apache is installed on the same
machine, and the user can run his own cgi-scripts (most ISPs I suppose), then
by default the user's CGI scripts will run as nobody too, allowing him
to read Data.fs during his own CGI execution, and copy it wherever he wants
during this time.
Solutions:
* make Data.fs and Data.fs.old only readable by a user every
other user on the system can't run commands as.
* But the best to do is:
Encrypt all passwords in the ZODB.
hoping this helps.
bye,
Jerome Alet