[ZCM] [ZC] 734/ 7 Resolve "Z Search Interface vulnerable to CA-2000-02"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Mon Jan 19 18:46:59 EST 2004 

Issue #734 Update (Resolve) "Z Search Interface vulnerable to CA-2000-02"
 ** Security Related ** (Public)
 Status Resolved, Zope/bug medium
To followup, visit:
  http://zope.org/Collectors/Zope/734

==============================================================
= Resolve - Entry #7 by efge on Jan 19, 2004 6:46 pm

 Status: Pending => Resolved

Resolved.
________________________________________
= Comment - Entry #6 by leper on Jan 19, 2004 6:29 pm

fixed in 2.6.3/2.7.0b4 releases, this issue can be resolved
________________________________________
= Comment - Entry #5 by leper on May 3, 2003 8:21 pm

This is fixed by the badcdefrep.diff included on bug #813

________________________________________
= Unrestrict_pending - Entry #4 by ShaneH on May 2, 2003 10:32 am

This doesn't need to be confidential.

________________________________________
= Comment - Entry #3 by slinkp on Jan 30, 2003 8:21 pm

I'm sorry, but it's not fixed in 2.6.1b1.
I checked out CVS HEAD but i can't get zope to start :-(

let me be very clear about how to test this.
Create a default ZSearchInterface with the result page called
simply "results".
In another page, add this link:

<a href='results?title=&="><script>alert(document.domain)</script>"'>
here is the information you requested </a>

Click on the link in a vulnerable browser such as IE 5.5.
Unless the browser and/or the server takes countermeasures,
an alert box pops up.

The alert comes up when the page is rendered because the gunk
from the query string is rendered verbatim in the returned page.
In this case it is rendered as part of the "Next results" link.

The browser can prevent this (as mozilla apparently does)
by html-quoting the query string before sending it to the
server.

Server-side mitigation is discussed here:
http://www.cert.org/tech_tips/malicious_code_mitigation.html/




________________________________________
= Comment - Entry #2 by efge on Jan 30, 2003 3:26 pm

This should be fixed in Zope 2.6b1 and in CVS HEAD.
Could you please check?

________________________________________
= Request - Entry #1 by slinkp on Dec 17, 2002 6:01 pm

* Create a ZCatalog. 
* Run "Find & Catalog", make sure it catalogs enough objects that batching can be triggered.
* Create a Z Search Interface (dtml version, untested
with ZPT version).

Now a 3rd party can run arbitrary scripts in the user's browser by tricking them into following
a link to e.g. http://YourZope/YourCatalog/YourResultsPage?title=&="><script>alert(document.domain)</script>

Mozilla 1.1 seems to prevent this by automatically quoting the HTML characters in the URL. IE 5.5 is vulnerable, probably other versions too.

More information about this kind of attack:
http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/tech_tips/malicious_code_mitigation.html/

Several issues here:


1) Should Zope generally, and ZCatalog in particular, take steps to guard against this kind of attack?
It could be handled with something similar to the scrubHTML method that "cleans" submissions to CMF.
Or is it to be left entirely up to the web app developer?

2) At the very least, the default Z Search Interface should probably take preventive measures.


==============================================================

More information about the Zope-Collector-Monitor mailing list