[Zope-dev] New: Cross Site Scripting vulnerability

Martijn Pieters mj@zope.com
Sun, 23 Sep 2001 20:12:22 -0400


> Example:
>
> http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
> http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT>
> http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>
>
> For  example, an attacker might post a message like
>
>         Hello message board. This is a message.
>                <SCRIPT>malicious code</SCRIPT>
>         This is the end of my message.
>
>     When a victim with scripts enabled  in their  browser reads this
> message,  the  malicious  code   may  be  executed   unexpectedly.
>     Scripting tags that can be embedded in this way include <SCRIPT>,
> <OBJECT>, <APPLET>, and <EMBED>.

First of all, I would appreciate it if you could send alleged security
problems to us in private, and not advertise these on a public mailinglist.
I know that you had posted your previous ;discovery' to us in private some
time before you took it to the public lists, but the time given to us to
craft a response to your email was by far too short. One week would have
been the absolute minumum!

Secondly, could you in future also describe the exact problem in more
detail? I assume that you mean a malicious third party could in theory abuse
our server to create a page with malicious client-side code by crafting a
message on a message board or in an email, right? Your manner of posting
could suggest to others that the vulnerability lies with Zope itself, not
with browsers allowing malcious code via a generated web page.

Third, the 'classic.zope.org' link on the Zope.org error page has long been
overdue for removal, especially since classic is now down. I have removed
the auto-generated link to it.

--
Martijn Pieters
| Software Engineer  mailto:mj@zope.com
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------