/error_log discloses passwords with ftp errors
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Medium
|
Tres Seaver |
Bug Description
Problem: Zope 2.6 /error_log discloses passwords with ftp errors
Severity: Medium in trusted environments (or rather High if you have untrusted users with restricted roles but access to the /error_log)
Versions tested: Zope 2.6
Workaround: Don't use ftp
Problem Description:
When a user requests a non-existant file through ftp, the "error_log" in the Zope root folder logs the error along with name and cleartext password used in the ftp. This can be used for privilege escalation by any users with low privilege roles, but access to the error_log. It's also very unfortunate if you don't plan to share your password with other people with "manager role".
From the Zope book:
"Chapter 7: Users and Security"
"Rest assured that it is not, however, possible for someone to find out your password from the management interface. Another manager may have access to change your password, but not find out what your current password is without changing it."
This is correct, as far as "from the management interface" is taken exclusively. But unfortunately it happens that passwords are disclosed through the error log for certain ftp errors.
Log in to the Zope ftp server and give an ftp command to try and get a nonexistant file:
ftp> get /frob frob
local: frob remote: /frob
227 Entering Passive Mode (212,55,
550 Error opening file.
Now go to the /error_log in the ZMI, find the error created by your ftp "mistake". There, in the "other" section we find:
...
__ac_password 'frobfrob'
SERVER_URL 'http://
__ac_name 'frob'
...
The users password is disclosed in clear text to any users with access to the error_log in the Zope root folder. Very unfortunate if you happen to use this same password for other accounts (or even a shell account on that machine). You might be allowing ftp only for local machine connections or for connections behind your firewall, but the same password is used for the ZMI which is usually available through the firewall.
I haven't created an account on zope.org yet, so please keep me updated on the progress of this. Thank you!
Actually, this has little to do with the error_log. We need to prevent __ac_password from being accessible by *any* user code.