> For example, an attacker might post a message like
> Hello message board. This is a message.
> <SCRIPT>malicious code</SCRIPT>
> This is the end of my message.
> When a victim with scripts enabled in their browser reads this
> message, the malicious code may be executed unexpectedly.
> Scripting tags that can be embedded in this way include <SCRIPT>,
> <OBJECT>, <APPLET>, and <EMBED>.
First of all, I would appreciate it if you could send alleged security
problems to us in private, and not advertise these on a public mailinglist.
I know that you had posted your previous ;discovery' to us in private some
time before you took it to the public lists, but the time given to us to
craft a response to your email was by far too short. One week would have
been the absolute minumum!
Secondly, could you in future also describe the exact problem in more
detail? I assume that you mean a malicious third party could in theory abuse
our server to create a page with malicious client-side code by crafting a
message on a message board or in an email, right? Your manner of posting
could suggest to others that the vulnerability lies with Zope itself, not
with browsers allowing malcious code via a generated web page.
Third, the 'classic.zope.org' link on the Zope.org error page has long been
overdue for removal, especially since classic is now down. I have removed
the auto-generated link to it.
| Software Engineer mailto:[EMAIL PROTECTED]
| Zope Corporation http://www.zope.com/
| Creators of Zope http://www.zope.org/
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -