sean.upton@uniontrib.com wrote:
Personally, I think this really should be an integration issue instead of a Zope issue: use a front-end proxy server (i.e. Squid) and set up ACLs to prevent this...
This hasn't been fixed because it's not well understood. Javascript can POST an invisible form, AFAIK. The problem occurs on the browsers of users who are *already authenticated*. It has nothing to do with Zope or any server software, really. Let's say I wanted to boost a stock price using a client-side trojan. I could post a page that gives the details about some fictitious seminar that helps people do better in the stock market. I could advertise my page on a stock trading site. I could add a frame of height 0 to this page. The frame would invisibly make a request to the stock trading site that would buy a certain stock. If I use an anonymizer, I might be able to make a few bucks. It would work because the unknowing visitor would be logged in with a cookie. The script acts as an "agent" for the user. The problem is that there is no way for the stock trading site to tell the difference between the user and the agent. I don't know of any actual exploits, but I think it's a much more serious issue than revealing paths. :-) Shane