[Zope] Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

[Oliver Bleutgen]

Brian Lloyd wrote:
>>[proposal of dissallowing GETs for management methods]
>>The win would be that disabling javascipt would make a client save from 
>>this form of attack, AFAIK, OTOH I can't think of anything which would 
>>break ATM.
>>
> 
> While I don't necessarily disagree about making GETs idempotent, 
> this still doesn't make you "safe", even with JS turned off.

Ahh, idempotent, that word escaped me ;-).

> 
> A quick example: images can be used as form submit buttons. If 
> I can get you to visit a page and click on my innocent looking 
> image... you're done :)

Ok, I wasn't clear enough. What I proposed would at least give the 
browser implementors a chance to remedy the problem (e.g. ask before 
form submission etc.). Compare your scenario to that where one just 
needs to write
<img href="http://victimserver/evilmethod">

> 
> This is hard, hard, problem. While some good ideas have been 
> proposed, there is not really a quick fix that doesn't have 
> some downside that some group somewhere considers a 
> showstopper :(

I consider what I wrote really not the most sophisticated idea around, 
more something in the line of disabling unneeded servers on a unix machine.
But I also don't see how it could be a showstopper for any scenario.
No pain (barring modification of methods, which could be done step by 
step), some gain ... sounds good to me.

cheers,
oliver