Hi Bob, >Are you sure it's vulnerable? If you return a JSON object, it is not >vulnerable. JSON objects are only valid expressions, not statements, >so they are simply an error when sourced with a script tag. > > The app was definitely vulnerable, I proved it with an exploit. The app wasn't in fact written with TurboGears, but works very similarly.
To answer the other question, why don't you just... > @expose(format='json') > @identity.require(identity.not_anonymous()) > def get_private_data(self, *args, **kw): ... because the identity requirement can be bypassed by a malicious website. That's what the Fortinet advisory is about. The malicious website embeds a script tag <script src="http://victim.com/vulnerable.json";>. When a user visits the malicious website, the browser gets the script from the victim server, and (if the user is logged in) automatically attaches the cookie, so the request is valid. However, using some javascript trickery the malicious website can read the returned json. Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
