Example:
http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>
For example, an attacker might post a message like
Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message.
When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.
First of all, I would appreciate it if you could send alleged security problems to us in private, and not advertise these on a public mailinglist. I know that you had posted your previous ;discovery' to us in private some time before you took it to the public lists, but the time given to us to craft a response to your email was by far too short. One week would have been the absolute minumum! Secondly, could you in future also describe the exact problem in more detail? I assume that you mean a malicious third party could in theory abuse our server to create a page with malicious client-side code by crafting a message on a message board or in an email, right? Your manner of posting could suggest to others that the vulnerability lies with Zope itself, not with browsers allowing malcious code via a generated web page. Third, the 'classic.zope.org' link on the Zope.org error page has long been overdue for removal, especially since classic is now down. I have removed the auto-generated link to it. -- Martijn Pieters | Software Engineer mailto:mj@zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ ---------------------------------------------