[Zope] protecting users from hostile authors

Kyler B. Laird laird@ecn.purdue.edu
Sun, 26 Aug 2001 07:32:16 -0500


On Sun, 26 Aug 2001 00:15:16 +0200 (CEST) you wrote:
>Kyler B. Laird writes:
> > Looking around on Zope.org, I realized that this
> > might already be addressed.  Is there anything
> > that prevents me (as a Zope community member
> > with authoring privileges on zope.org) from 
> > luring users who have already authenticated with
> > Zope.org to come look at my pages, and then
> > running arbitrary commands with their
> > privileges?
>Starting with Zope 2.2, the effective permissions are the
>intersection of that of the current user and that of the
>executable's owner. That implies, the authors cannot do
>thinks by highjacking visitors.

O.k., I appreciate that (lots!).  However, I do not see
what is stopping me from doing something nasty like...

	1.	Lure you to my page.

	2.	Check to see that you are authenticated.
		(My page wouldn't require it.)

	3.	If you are, grab your user name.

	4.	Create a URL for a Bad Thing (something with
		"manage_" in it pointed at your folder).

	5.	Generate a 1x1 (or whatever) <img> tag with
		that URL as the src value.

I haven't tried this, but even if it does not work now,
I wonder what policy prevents it (and insures it will
not work in future versions).

When I think of how to prevent this, use of the
"Referer" header jumps out, but I don't send it from 
some of my browsers.  Other possibilities include use
of cookies, but I don't even like the current
dependency on them.

For pages generated on the server (the easiest way to
do it, but not the only one), a check of outgoing HTML
to attempt to catch such things is possible, but I can
think of lots of avenues around such a check.

Any clever thoughts?

Thank you.

--kyler