Re: [Zope-dev] 2.7 management_page_charset cannot be callable
In addition to this problem, someone has changed manage_form_title.dtml and caused me grief! The <dtml-var title> tag has been changed to <&dtml-title;> This causes an implicit html-quote to now be performed which means that my <img> tag, inserted to display the product's icon to more strongly associate what is being created, now just writes the html into the title line. Since nothing was broken in the first place, how about backing out this change. Cheers, Alan
Alan Milligan wrote:
In addition to this problem, someone has changed manage_form_title.dtml and caused me grief!
The <dtml-var title> tag has been changed to <&dtml-title;>
This causes an implicit html-quote to now be performed which means that my <img> tag, inserted to display the product's icon to more strongly associate what is being created, now just writes the html into the title line.
Since nothing was broken in the first place, how about backing out this change.
That change is one of a number which are designed to prevent cross-site scripting attacks; DTML is particularly vulnerable to such cracks, as it doesn't force the template writer to choose the source from which the name will be bound. Your scenario is actually quite close to the posited attack: imagine that user 'black_hat' inserts a document whose title has nasty javascript in an 'onload' attribute of a tag; such javascript can be used, for instance, to steal cookies, to post to 'manage_shutdown', etc. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
Tres Seaver wrote:
Alan Milligan wrote:
In addition to this problem, someone has changed manage_form_title.dtml and caused me grief!
The <dtml-var title> tag has been changed to <&dtml-title;>
This causes an implicit html-quote to now be performed which means that my <img> tag, inserted to display the product's icon to more strongly associate what is being created, now just writes the html into the title line.
Since nothing was broken in the first place, how about backing out this change.
That change is one of a number which are designed to prevent cross-site scripting attacks; DTML is particularly vulnerable to such cracks, as it doesn't force the template writer to choose the source from which the name will be bound.
Your scenario is actually quite close to the posited attack: imagine that user 'black_hat' inserts a document whose title has nasty javascript in an 'onload' attribute of a tag; such javascript can be used, for instance, to steal cookies, to post to 'manage_shutdown', etc.
Tres.
Wooahh Who are we trying to protect ourselves from?? Any Zope product is automatically supposed to be 'trusted' by virtue of being written to the Products directory. Surely protecting ourselves from malicous product developers is not within the bounds of the existing product framework. Given I've written the dtml in the first place, I could write my cookie stealer *anywhere* in my dtml. Whenever we install software on a networked device, we have to assess the security risks against the perceived benefit of the software's functionality. Installation of a Zope product is not without risk, especially if the author is not known. As you are suggesting, installing a Zope product could not only attack our system, but that of any hosted website user, so there are many stakeholders interested in security assurance. This is the lamest excuse I could imagine for justifying this change. Cheers, Alan
On Fri, 16 Jan 2004, Alan Milligan wrote:
Tres Seaver wrote:
That change is one of a number which are designed to prevent cross-site scripting attacks; DTML is particularly vulnerable to such cracks, as it doesn't force the template writer to choose the source from which the name will be bound.
Your scenario is actually quite close to the posited attack: imagine that user 'black_hat' inserts a document whose title has nasty javascript in an 'onload' attribute of a tag; such javascript can be used, for instance, to steal cookies, to post to 'manage_shutdown', etc.
Tres.
Wooahh
Who are we trying to protect ourselves from??
We are protecting ourselves from nasty URLs written by anyone on the web. Because DTML is so implicit, it is conceivable that an URL like the following might kill your site (or worse!): http://zope.example.com/?title=<script>document.location=/Control_Panel/manage_shutdown</script> For a black hat to exploit your site, he only needs to convince you to follow the link. This is what is known as a cross-site scripting bug and it's a widespread problem for all dynamic web servers like Zope. People are really concerned about it. The only cure is to HTML-quote by default. FWIW: http://www.cgisecurity.com/articles/xss-faq.shtml Shane
This indeed is a problem. Isn't this an issue because all of these quasi-private methods have a document string and are hence callable via an http request? If we were to remove the doc string from manage_form_title (ie via rewriting this as a python method which delegates to the underlying DTML (made private)), then this method would then render itself callable only via DTML/ZPT etc wouldn't it??? Alan Shane Hathaway wrote:
On Fri, 16 Jan 2004, Alan Milligan wrote:
Tres Seaver wrote:
That change is one of a number which are designed to prevent cross-site scripting attacks; DTML is particularly vulnerable to such cracks, as it doesn't force the template writer to choose the source from which the name will be bound.
Your scenario is actually quite close to the posited attack: imagine that user 'black_hat' inserts a document whose title has nasty javascript in an 'onload' attribute of a tag; such javascript can be used, for instance, to steal cookies, to post to 'manage_shutdown', etc.
Tres.
Wooahh
Who are we trying to protect ourselves from??
We are protecting ourselves from nasty URLs written by anyone on the web. Because DTML is so implicit, it is conceivable that an URL like the following might kill your site (or worse!):
http://zope.example.com/?title=<script>document.location=/Control_Panel/manage_shutdown</script>
For a black hat to exploit your site, he only needs to convince you to follow the link. This is what is known as a cross-site scripting bug and it's a widespread problem for all dynamic web servers like Zope. People are really concerned about it. The only cure is to HTML-quote by default. FWIW:
http://www.cgisecurity.com/articles/xss-faq.shtml
Shane
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shane Hathaway wrote: | | We are protecting ourselves from nasty URLs written by anyone on the web. | Because DTML is so implicit, it is conceivable that an URL like the | following might kill your site (or worse!): | | http://zope.example.com/?title=<script>document.location=/Control_Panel/manage_shutdown</script> | | For a black hat to exploit your site, he only needs to convince you to | follow the link. This is what is known as a cross-site scripting bug and | it's a widespread problem for all dynamic web servers like Zope. People | are really concerned about it. The only cure is to HTML-quote by default. | FWIW: | | http://www.cgisecurity.com/articles/xss-faq.shtml | | Shane The affixed patch makes it impossible to call manage_form_title directly, and thus elimates xss attacks on it. This method (and probably loads more) wasn't designed to be public, but inherited this feature by virtue of being implemented as DTML. Can someone please check and apply this patch (and back out the patch html-quoting the form-title on manage_form_title.dtml) :) TIA, Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org Comment: iD8DBQFACk1pCfroLk4EZpkRAtt/AJ9dm/I41iFTgsmtgeBUNN8B5Le8RgCfX9uz vMqNG+w+QM8ioj1lENj/3q4= =4Ukw -----END PGP SIGNATURE----- --- App/Management.py Sun Jan 18 19:43:55 2004 +++ App/Management.py.save Sun Jan 18 19:30:07 2004 @@ -173,14 +173,11 @@ manage_page_header=DTMLFile('dtml/manage_page_header', globals()) manage_page_footer=DTMLFile('dtml/manage_page_footer', globals()) - _manage_form_title =DTMLFile('dtml/manage_form_title', globals(), + manage_form_title =DTMLFile('dtml/manage_form_title', globals(), form_title='Add Form', help_product=None, help_topic=None) - def manage_form_title(self, *args, **kw): - return self._manage_form_title(self, *args, **kw) - - _manage_form_title._setFuncSignature( + manage_form_title._setFuncSignature( varnames=('form_title', 'help_product', 'help_topic') ) manage_form_title__roles__ = None
participants (3)
-
Alan Milligan -
Shane Hathaway -
Tres Seaver