Graham Chiu wrote:
I went there, clicked on the buttons, and got DNS errors.
This link should show you all the cookies you have at www.zope.org:
http://www.securityspace.com%2fexploit%2fexploit_1b.html%3fdomain==.www.zope.org/#exploit_1
Well, you only have to save one half of a pair. I would prefer you save
the password. The username I can remember :-)
Your username is publicly accessable from zope.org. With your password,
if there's any way I can inferr your username- let's say the webmaster
grabbed the information while you were posting a comment on
zopeisevil.org- they can now do whatever you could do.
More to the point, with redirection and javascript, they can even make
you do it. For zope.org membership as it is today, all they could do is
besmirch your good name in the community. In the future, as the things a
zope member can do expands, it could mess up more.
I will, however, look into other possibilities, like maybe your password
could be filled in server side, if some appropriate check can be made.
If you like, drop this issue in the Tracker, http://www.zope.org/Tracker
, so that you'll be updated when its status changes.
If you're using IE 5 or Mozilla (NS 6) you can always tell it to
remember what you've entered into the password field.
Doesn't offer to save it for me on IE5. If it did, I wouldn't be asking.
Hmm. It harasses me about it all the time. Perhaps I'm using IE 5.5
(can't remember, I'm back in linux.)
~ethan
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
