[Zope-dev] Re: 2.7 management_page_charset cannot be callable
Alan Milligan
alan at balclutha.org
Fri Jan 16 00:45:38 EST 2004
This indeed is a problem.
Isn't this an issue because all of these quasi-private methods have a
document string and are hence callable via an http request? If we were
to remove the doc string from manage_form_title (ie via rewriting this
as a python method which delegates to the underlying DTML (made
private)), then this method would then render itself callable only via
DTML/ZPT etc wouldn't it???
Alan
Shane Hathaway wrote:
>On Fri, 16 Jan 2004, Alan Milligan wrote:
>
>
>
>>Tres Seaver wrote:
>>
>>
>>>That change is one of a number which are designed to prevent
>>>cross-site scripting attacks; DTML is particularly vulnerable to such
>>>cracks, as it doesn't force the template writer to choose the source
>>>from which the name will be bound.
>>>
>>>Your scenario is actually quite close to the posited attack: imagine
>>>that user 'black_hat' inserts a document whose title has nasty
>>>javascript in an 'onload' attribute of a tag; such javascript can be
>>>used, for instance, to steal cookies, to post to 'manage_shutdown', etc.
>>>
>>>Tres.
>>>
>>>
>>Wooahh
>>
>>Who are we trying to protect ourselves from??
>>
>>
>
>We are protecting ourselves from nasty URLs written by anyone on the web.
>Because DTML is so implicit, it is conceivable that an URL like the
>following might kill your site (or worse!):
>
>http://zope.example.com/?title=<script>document.location=/Control_Panel/manage_shutdown</script>
>
>For a black hat to exploit your site, he only needs to convince you to
>follow the link. This is what is known as a cross-site scripting bug and
>it's a widespread problem for all dynamic web servers like Zope. People
>are really concerned about it. The only cure is to HTML-quote by default.
>FWIW:
>
>http://www.cgisecurity.com/articles/xss-faq.shtml
>
>Shane
>
>
More information about the Zope-Dev
mailing list