[Zope-dev] Re: 2.7 management_page_charset cannot be callable
Shane Hathaway
shane at zope.com
Thu Jan 15 21:02:16 EST 2004
On Fri, 16 Jan 2004, Alan Milligan wrote:
>
> Tres Seaver wrote:
> > That change is one of a number which are designed to prevent
> > cross-site scripting attacks; DTML is particularly vulnerable to such
> > cracks, as it doesn't force the template writer to choose the source
> > from which the name will be bound.
> >
> > Your scenario is actually quite close to the posited attack: imagine
> > that user 'black_hat' inserts a document whose title has nasty
> > javascript in an 'onload' attribute of a tag; such javascript can be
> > used, for instance, to steal cookies, to post to 'manage_shutdown', etc.
> >
> > Tres.
>
> Wooahh
>
> Who are we trying to protect ourselves from??
We are protecting ourselves from nasty URLs written by anyone on the web.
Because DTML is so implicit, it is conceivable that an URL like the
following might kill your site (or worse!):
http://zope.example.com/?title=<script>document.location=/Control_Panel/manage_shutdown</script>
For a black hat to exploit your site, he only needs to convince you to
follow the link. This is what is known as a cross-site scripting bug and
it's a widespread problem for all dynamic web servers like Zope. People
are really concerned about it. The only cure is to HTML-quote by default.
FWIW:
http://www.cgisecurity.com/articles/xss-faq.shtml
Shane
More information about the Zope-Dev
mailing list