[EMAIL PROTECTED] wrote:
> Personally, I think this really should be an integration issue instead of a
> Zope issue: use a front-end proxy server (i.e. Squid) and set up ACLs to
> prevent this...
This hasn't been fixed because it's not well understood. Javascript can
POST an invisible form, AFAIK. The problem occurs on the browsers of
users who are *already authenticated*. It has nothing to do with Zope
or any server software, really.
Let's say I wanted to boost a stock price using a client-side trojan. I
could post a page that gives the details about some fictitious seminar
that helps people do better in the stock market. I could advertise my
page on a stock trading site.
I could add a frame of height 0 to this page. The frame would invisibly
make a request to the stock trading site that would buy a certain
stock. If I use an anonymizer, I might be able to make a few bucks.
It would work because the unknowing visitor would be logged in with a
cookie. The script acts as an "agent" for the user. The problem is
that there is no way for the stock trading site to tell the difference
between the user and the agent.
I don't know of any actual exploits, but I think it's a much more
serious issue than revealing paths. :-)
Shane
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
