Zope 2

/error_log discloses passwords with ftp errors

Bug #142434 reported by Bug Importer
252
Affects Status Importance Assigned to Milestone
Zope 2
Fix Released
Medium
Tres Seaver

Bug Description

Problem: Zope 2.6 /error_log discloses passwords with ftp errors

Severity: Medium in trusted environments (or rather High if you have untrusted users with restricted roles but access to the /error_log)

Versions tested: Zope 2.6

Workaround: Don't use ftp

Problem Description:
When a user requests a non-existant file through ftp, the "error_log" in the Zope root folder logs the error along with name and cleartext password used in the ftp. This can be used for privilege escalation by any users with low privilege roles, but access to the error_log. It's also very unfortunate if you don't plan to share your password with other people with "manager role".

From the Zope book:
"Chapter 7: Users and Security"

"Rest assured that it is not, however, possible for someone to find out your password from the management interface. Another manager may have access to change your password, but not find out what your current password is without changing it."

This is correct, as far as "from the management interface" is taken exclusively. But unfortunately it happens that passwords are disclosed through the error log for certain ftp errors.

Log in to the Zope ftp server and give an ftp command to try and get a nonexistant file:

ftp> get /frob frob
local: frob remote: /frob
227 Entering Passive Mode (212,55,199,131,127,9)
550 Error opening file.

Now go to the /error_log in the ZMI, find the error created by your ftp "mistake". There, in the "other" section we find:

...
__ac_password 'frobfrob'
SERVER_URL 'http://kronos:9021'
__ac_name 'frob'
...

The users password is disclosed in clear text to any users with access to the error_log in the Zope root folder. Very unfortunate if you happen to use this same password for other accounts (or even a shell account on that machine). You might be allowing ftp only for local machine connections or for connections behind your firewall, but the same password is used for the ZMI which is usually available through the firewall.

I haven't created an account on zope.org yet, so please keep me updated on the progress of this. Thank you!

Tags: bug zope
Revision history for this message
Shane Hathaway (shaneh) wrote :

Actually, this has little to do with the error_log. We need to prevent __ac_password from being accessible by *any* user code.

Revision history for this message
Tres Seaver (tseaver) wrote :

Status: Pending => Accepted

 Supporters added: tseaver

I'm adding code to the '__str__' method of HTTPRequest
which obscures the value of any form dict key which matches
'^.*passw.*$', ignoring case.

Revision history for this message
Tres Seaver (tseaver) wrote :

Status: Accepted => Resolved

Changes committed for Zope 2.7.1 and trunk:

  http://cvs.zope.org/Zope/lib/python/ZPublisher/HTTPRequest.py.diff?r1=1.90.2.5&r2=1.90.2.6

  http://svn.zope.org/Zope/trunk/lib/python/ZPublisher/HTTPRequest.py?r1=24563&r2=24828&p1=Zope/trunk/lib/python/ZPublisher/HTTPRequest.py&p2=Zope/trunk/lib/python/ZPublisher/HTTPRequest.py

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.