New: Cross Site Scripting vulnerability
Example: http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT> For example, an attacker might post a message like Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message. When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.
Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message.
I don't really see your point other than a carelessly implemented app may expose these kind of vulnerabilities. Python (and hence Zope) has a library for stripping out this sort of malicious HTML. Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this can be used. cheers, Chris
Vulnerability: attacking can get file list and directory Tested on Win32 platform Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 <enter> <enter> <enter> < list files and directory > This tested on my site: security.instock.ru 8080
Vulnerability: attacking can get file list and directory Tested on Win32 platform
Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 <enter> <enter> <enter>
< list files and directory >
This tested on my site: security.instock.ru 8080
This one really seems to be the old "WebDAV is not safe" one. I guess it has been tackled already. You should be able to switch the file listing off for the Anonymous User in Zope 2.4.1 ... Joachim
On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
Vulnerability: attacking can get file list and directory Tested on Win32 platform
Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 <enter> <enter> <enter>
< list files and directory >
This tested on my site: security.instock.ru 8080
This one really seems to be the old "WebDAV is not safe" one. I guess it has been tackled already. You should be able to switch the file listing off for the Anonymous User in Zope 2.4.1 ...
Joachim
I totally agree. Tracebacks should not be visible to anonymous users! Although I would hesitate to call this a vulnerability, it ranks up there with the old ability to call objectIds by URL as anonymous. The less information that anonymous users can glean about the server, the better. /---------------------------------------------------\ Casey Duncan, Sr. Web Developer National Legal Aid and Defender Association c.duncan@nlada.org \---------------------------------------------------/
What does this have to do with Zope? Its down to an individual application. ----- Original Message ----- From: "ALife" <buginfo@inbox.ru> To: <Zope-Dev@zope.org> Sent: Sunday, September 23, 2001 10:23 AM Subject: [Zope-dev] New: Cross Site Scripting vulnerability
Example:
http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>
For example, an attacker might post a message like
Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message.
When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Example:
http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>
For example, an attacker might post a message like
Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message.
When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.
First of all, I would appreciate it if you could send alleged security problems to us in private, and not advertise these on a public mailinglist. I know that you had posted your previous ;discovery' to us in private some time before you took it to the public lists, but the time given to us to craft a response to your email was by far too short. One week would have been the absolute minumum! Secondly, could you in future also describe the exact problem in more detail? I assume that you mean a malicious third party could in theory abuse our server to create a page with malicious client-side code by crafting a message on a message board or in an email, right? Your manner of posting could suggest to others that the vulnerability lies with Zope itself, not with browsers allowing malcious code via a generated web page. Third, the 'classic.zope.org' link on the Zope.org error page has long been overdue for removal, especially since classic is now down. I have removed the auto-generated link to it. -- Martijn Pieters | Software Engineer mailto:mj@zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ ---------------------------------------------
participants (6)
-
ALife -
Andy McKay -
Casey Duncan -
Chris Withers -
Joachim Werner -
Martijn Pieters