[Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in

[Shane Hathaway]

Tres Seaver wrote:
> Whithout the fix, virtually every Zope site in the world is vulnerable
> to URL-based cross-site scripting exploits.  For instance, any URL which
> contains invalid form variable marshalling can generate an error page
> which includes the erroneous value, unquoted.  E.g.:
> 
> <URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E>

I think an URL with an inconspicuous mispelling of the domain name is a 
far greater vulnerability than cross-site-scripting.

Consider:

http://barnesandnohle.com/freebooks.html

An attacker could set up that misleading domain name then spam people to 
order free books, requiring credit card info for some 
"book-of-the-month" trick.  Some simple scraping of the true site would 
keep most people from ever thinking there was a problem.  In fact, you 
don't even have to misspell it:

http://barnes-andnoble.com/freebooks.html

This affects the entire web and every piece of software involved in it.

I just want to keep the security worries in check.  Let me ramble for a 
bit...  We've released a lot of hotfixes, but *none* of the 
vulnerabilities could give an attacker root access, and none of them 
could give console access to anonymous users AFAIK.  All of the 
vulnerabilities violated Zope's security policy, but Zope's security 
policy is constrained by system security and other safeguards.  People 
outside the Zope community don't know that, so a lot have labeled Zope 
as too insecure to use.  The reality is that we've never even had an 
exploitable buffer overrun. :-)  We should avoid sending the wrong 
message by making a hotfix for every little thing.

Shane