[Zope] protecting users from hostile authors

Oliver Bleutgen Oliver Bleutgen <myzope@gmx.net>
Sat, 1 Sep 2001 16:16:56 +0200


> O.k., I've been mulling over the topic of
> protecting users from lots of potentially
> hostile authors.  I've got some ideas
> that could go a little way toward solving
> the problem.

> When writing a method that is going to do
> something *really* privileged (like "drop
> class"), there should be a second "Are
> you sure you want to...?" step.

> In order to enforce the desired use of
> this step, there must be a way to
> determine that the method is being called
> directly from the Zope Publisher(???) -
> not through an intermediate method.  I
> have worked with such problems extensively
> under Apache, and the most secure solution
> I developed was not pretty.  I'm hoping
> for better in Zope.

This is IMO equivalent to the problem of determining if the 
manage_-method has been called by "legitimate" means, i.e.
creating some kind of state - otherwise the attacker
would just target the same methods as the "are you sure?"
screen you propose. Btw. I wouldn't want to be asked
for everything I do in the ZMI - and everything you can do
there is potentially dangerous.

> Is there a good un-fakeable way in Zope
> to determine the caller of a method?  

I fear that's impossible when we look at what happens.

(1)Hostile html-page -> (2)client -> (3)manage_method

Between (1) and (3) there's always the client and
looking at modern browsers I find it very unlikely
that we can always trust (2).


> (Another piece that is required for the
> "extra step" solution I mention is the
> generation of some cryptographic key to
> the second step.  I think I understand
> how to do that.)

If you know how to solve that, you can also
stuff that key directly into the ZMI as we
have them now, can't you? 

OTH, looking at techniques discussed here
recently, like IIRC
http://www.ashleyit.com/rs/
we see there are various possibilites to GET/POST pages 
on the users behalf in order to get at your cryptographic key.


> Some other things to consider...if you
> have a "Referer" header, you could use it
> to insure that the user got to your
> method through the "proper" path.  Using
> the "Accept" header *should* give a clue
> if the request is coming as a result of a
> tag like "img".  These are not dependable
> solutions, though.  Some browsers do not
> send the Referer, and MS browsers have a
> long history of sending bogus Accept
> values.  Also, frames could be used
> instead of images for "invisible" calls.

I see no chance to defeat an attack against
a browser which is to "open" w.r.t. scripting.

But, without javascript, there's IMO an easy and
compatible way to defeat almost any attack. I posted
this also to the wicki, just make sure that possibly
destructive methods can only be called from
the web via POST.
The http/1.1 rfc says about that:


9.1.1 Safe Methods


   Implementors should be aware that the software represents
   the  user in their  interactions over the  Internet,  and
   should be careful  to allow  the user to be aware  of any
   actions  they might  take which  may have  an unexpected
   significance to themselves or others.

   In particular, the  convention has been  established that
   the  GET   and  HEAD   methods  SHOULD   NOT  have    the
   significance of taking  an  action other  than retrieval.
   These methods ought to be considered  "safe". This allows
   user agents to  represent  other methods, such as   POST,
   PUT and  DELETE, in  a special  way, so  that the user is
   made aware of the fact  that a possibly unsafe action  is
   being requested.

   Naturally,  it  is   not  possible  to   ensure  that the
   server does  not generate  side-effects as  a result   of
   performing  a  GET   request;   in  fact,   some  dynamic
   resources  consider   that  a   feature.  The   important
   distinction here  is that  the user  did not  request the
   side-effects, so therefore cannot be held accountable for
   them.



cheers,
oliver