[Zope] Major security flaw in Zope 2.3.2

Andy andy@agmweb.ca
Wed, 6 Jun 2001 08:07:45 -0700 

DC's position has always been that if you can access your boxes filesystem,
you can access Zope. For a web application server this seems reasonable to
me and has never concerned me, if anyone gets access to my filesystem on
IIS, im screwed as well. Sending passwords over HTTP and using plain text to
store them is a little more of a concern IMHO.

By the way, probably the easiest way to read passwords is to install Shanes
wxPython widget and browse the passwords in a GUI :)

----- Original Message -----
From: "Jerome Alet" <alet@unice.fr>
To: <zope@zope.org>
Sent: Wednesday, June 06, 2001 5:44 AM
Subject: [Zope] Major security flaw in Zope 2.3.2


> Hi,
>
> first I'm sorry if this is a well known problem.
>
> Anybody who can read the file Data.fs (or Data.fs.old) can also do
> whatever he wants on your ZODB.
>
> explanation: it seems that Zope 2.3.0 and 2.3.2 store passwords in clear
text
> in the ZODB !!!
>
> The following is only partially tested, but should work:
>
> Say someone has a local unix account on your Zope server (don't know for
NT,
> but I think the problem is still there), and has readonly access to
> the Zope/var/Data.fs file.
>
> Then he just installs Zope on his own machine, and put the stealed Data.fs
> file there, and use the emergency user facility to access to it.
>
> Then he just have to put an External method in the root which does:
>
> --- CUT ---
> for username in self.acl_users.getUserNames() :
> user = self.acl_users.getUser(newusername)
> clearpassword = user._getPassword()
> # do something with username/clearpassword
> --- CUT ---
>
> The user has now a list of username/passwords to access YOUR ZODB's root
from
> everywhere, and can do whatever he wants.
>
> Setting rw------- permissions on Data.fs may help, but not in all cases:
>
> if Data.fs is owned by nobody.nogroup, Apache is installed on the same
> machine, and the user can run his own cgi-scripts (most ISPs I suppose),
then
> by default the user's CGI scripts will run as nobody too, allowing him
> to read Data.fs during his own CGI execution, and copy it wherever he
wants
> during this time.
>
> Solutions:
>
> * make Data.fs and Data.fs.old only readable by a user every
>           other user on the system can't run commands as.
>
> * But the best to do is:
>
> Encrypt all passwords in the ZODB.
>
> hoping this helps.
>
> bye,
>
> Jerome Alet
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>