[Zope] Re: CERT -- Malicious HTML Tags

Squishdot squishdot@yahoo.com
Wed, 2 Feb 2000 16:04:25 -0800 (PST)


tres seaver <tseave-@palladion.com> wrote: 
> CERT has released a fairly dire advisory on the dangers of dynamic page
> generation when coupled with untrusted content submission:
> 
>  http://www.cert.org/advisories/CA-2000-02.html
> 
> Anyone care to comment on Zope's vunlerability here?  For instance, the ZGotW
> site allows submissions in structured text, plain text, and HTML -- but now I am
> probably going to htmlquote() the last, which kills a lot of the point of it,
> no?
> 
> The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their immoral
> equivalents, <OBJECT>, <EMBED>, and <APPLET>).  Consider, for instance, those
> nasty pop-up windows launched by some "free" webspace providers;  then consider
> what happens in Squishdot, ZGotW, or any other site which permits users to enter
> arbitrary HTML as part of the feedback/collaboration process.  Not a pretty

Yes, I've been reading up on it as well. I'll be studying this issue
as well WRT to Squishdot. I would probably need to add some validation
to Squishdot to filter out these *malicious tags* -- if anyone in the
Zope/Squishdot has ideas/code to fix this, please contact me ASAP.

I've checked Squishdot so that all input fields are html-quoted, but
the most vulnerable part seems to be the possible addition of javascript and
other executable code -- If I build a validation mechanism that filters out <SCRIPT,
<OBJECT, <APPLET and <EMBED html tags, would this solve the problem --
or is this only a partial solution? What other things would I need
to filter out?

I don't know about the Zope's cookie mechanism -- since we get the Cookie
already as part of the namespace -- is this vulnerable too?

Regards,

Butch

=====
Butch Landingin
Squishdot maintainer
http://squishdot.org
squishdot@yahoo.com
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com