[Zope] issues of trust, why security via mod_rewrite fails
Jamie Heilman
jamie@audible.transient.net
Tue, 3 Jun 2003 16:52:17 -0700
Oliver Bleutgen wrote:
> Jamie Heilman wrote:
> >Now, while I think a new header is a good stop-gap I don't think
> >its a permanent solution. The probablem of no canonical host name
> >is still source of pain in zope
>
> Could you elaborate that a little bit? Are you referring to what is
> talked about in 813 or is there something else?
Yep, 813 is a two pronged problem. The first prong are the cross-site
scripting vulnerabilties due to poor contextual escaping. Thats what
what my patch tackles. The second prong is the issue of zope's
decision to always trust the client provided hostname. That problem
hasn't been solved yet, the workarounds I mentioned in 813 are no
longer adequate as they depend on the VHM which obtains its
information from an untrustworthy source.
The only workaround for the cross site scripting issue is to patch
zope. The problem of client provided hostnames is only a problem if
you use caching and your cache doesn't use the hostname as a cache
key. If your cache allows you to add the hostname to the cache key
then you're safe - provided that doesn't open your cache up to abuse.
(see my previous posting about caching) Cache users should be aware
that adding hostname alone isn't enough, to prevent poisoning the path
info should also be added to the key as VHMs combined with type
coercion let untrusted users change that too, and possibly the
protocol... though I haven't dug that far into it yet to see just how
much can be exploited by beating up a VHM.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's
not for you." She was cheap, she was stupid and she wouldn't load
-- well, not for me, anyway." -Holly