[Zope] Malicious HTML in (Squishdot) postings

Squishdot squishdot@yahoo.com
Fri, 4 Feb 2000 17:31:16 -0800 (PST)


Hi all,

CERT has issued a security advisory regarding improperly checked output from dynamic
pages. 

The CERT advisory can be found at:

            http://www.cert.org/advisories/CA-2000-02.html. 

Unfortunately, Squishdot is vulnerable to such problems. However, I (and others in the Zope
community) am trying to find a permanent solution to this. Of course, your help is also
welcome (code patches accepted :^))

While each site (e.g. depending on the audience, accessibility, amount of traffic) is vulnerable 
in varying degrees to these types of problems,  I would urge each administrator to evaluate
their own security policies regarding these problems and take steps appropriate for their own
circumstances.

In the meantime -- temporarily -- the  best way to deal with the problem is to turn moderation 
on for everything, and then properly check each posting manually.

Regards,

Butch

 


=====
Butch Landingin
Squishdot maintainer
http://squishdot.org
squishdot@yahoo.com
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com