Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in
> > > I'd like to second this. It was one of the contibuting factors in the > > > decision of my former employers to opt for spectra instead of a Zope > > > solution (That already existed!!). > > I, in contrary, appreciate the openess and fast response with > > respect to security problems. > > > > I do not install most hotfixes because the vulnerabilities do not > > affect our sites but it is a good feeling that there are fast > > fixes when this would be once the case. > > In some way we need to make it clear that most hotfixes don't matter for > most sites. A lot of hotfixes ensured that users who could write DTML > couldn't get extra privileges. They really only mattered for sites like > zope.org, where anyone with an email address is allowed to write code > that will be executed directly on the server. But: > You are exactly right... but... The problem is not one of clarity of labling, it's one of targetting: The people that actually make this level of decision (i.e. board level execs) are not "techies", and are just not interested in _why_ the fix is needed, or in _what_ technical problem it fixes, but that ZC (visibly) releases 'n' fixes per month for Zope, while M$ (visibly) releases less than that number per year for IIS/ASP - Therefore, Zope must be the less stable/reliable product etc? The logic is flawed, we all know that, but who is volunteering to visit every companies senior execs worldwide and spend the time to make them care enough? The hotfixes, and new releases need to be "marketted" (I use that word loosely) quite differently, new releases are "A Good Thing(tm)", while the fixes need to be "under the hood" where the execs won't be bothered by them, but the techies can find them when they need them. I appologise, in advance, for the sweeping generalization that all execs are like Dilbert's pointy-haired boss, but some really are! Adrian... -- Adrian Hungate EMail: [EMAIL PROTECTED] Web: http://www.haqa.co.uk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in
Adrian Hungate writes: > > > We should avoid sending the wrong > > message by making a hotfix for every little thing. > > > > Shane > I'd like to second this. It was one of the contibuting factors in the > decision of my former employers to opt for spectra instead of a Zope > solution (That already existed!!). I, in contrary, appreciate the openess and fast response with respect to security problems. I do not install most hotfixes because the vulnerabilities do not affect our sites but it is a good feeling that there are fast fixes when this would be once the case. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in
> [Snip] > > I just want to keep the security worries in check. Let me ramble for a > bit... We've released a lot of hotfixes, but *none* of the > vulnerabilities could give an attacker root access, and none of them > could give console access to anonymous users AFAIK. All of the > vulnerabilities violated Zope's security policy, but Zope's security > policy is constrained by system security and other safeguards. People > outside the Zope community don't know that, so a lot have labeled Zope > as too insecure to use. The reality is that we've never even had an > exploitable buffer overrun. :-) We should avoid sending the wrong > message by making a hotfix for every little thing. > > Shane > I'd like to second this. It was one of the contibuting factors in the decision of my former employers to opt for spectra instead of a Zope solution (That already existed!!). I am sure there are other cases of this too... If someone finds a buffer overrun, fix it by all means, but other issues may be better left for minor version releases, where they can be buried in the changelog. Just my £0.02 Adrian... -- Adrian Hungate EMail: [EMAIL PROTECTED] Web: http://www.haqa.co.uk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in
On Fri, 2002-08-09 at 10:43, Toby Dickenson wrote:
> On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote:
> > On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > > > The risk for breakage is very small really
> > >
> > > Your choice of '<' and html_quote suggests that my dtml code which
> > > generates javascript and vbscript carries a higher risk than dtml which
> > > generates html.
> >
> > Only if you generated that script using data from the REQUEST, implicitly.
>
> Yes
>
> > Which was bad in the first place.
>
> I agree it is true in most cases, but not all. Have you analysed how many
> applications will be broken by this? how they can detect the breakage? I
> certainly will not have time to assess the implications on my applications
> before the scheduled release of 2.6.
>
> > > >, and breakage
> > > > will generally only occur when someone is trying to exploit the
> > > > weakness, not in normal operation of the site.
> > >
> > > The fact that your change uses html_quote to 'fix' the problem rather
> > > than sounding 'hacker alert' alarm bells suggests to me that you dont
> > > really believe that ;-)
> >
> > Again, the wide scope of DTML use would make such bells warble prematurely
> > all too often.
>
> 'all too often' also contradicts your statements that this will not happen in
> normal operation of the site, and that the risk of breakage is 'very small'.
>
>
> Like I said before, this is probably a good feature. If it was available as a
> patch then I would probably use it on a number of my sites, and would
> recommend it to others. I would be very happy see it (or something like it)
> in 2.7.
>
> But not 2.6.
Martijn did add a knob to turn the feature off, via a new environment
variable. With a security vulnerability, we have to come up with some
kind of balance between the need to propagate the fix as quickly as
possible and the need (as you point out) not to disrupt production sites
unduly. I don't believe we can afford to wait a whole other release
cycle for this fix; Brian, Jim, and Martijn deemed the fix too
pervasive to be bundled as a hotfix, which offers us little choice
except to included it in current releases.
Whithout the fix, virtually every Zope site in the world is vulnerable
to URL-based cross-site scripting exploits. For instance, any URL which
contains invalid form variable marshalling can generate an error page
which includes the erroneous value, unquoted. E.g.:
http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E>
Tres.
--
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation "Zope Dealers" http://www.zope.com
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
