> The issue of client side trojan recently came to my mind again.
> Looking at http://www.zope.org//Members/jim/ZopeSecurity/ClientSideTrojan
> I found nothing new since Oct. 2001, so I thought I bring up the issue 
> again, maybe it's something which could be taken care of for zope => 2.6.
> I wrote something about that at the wiki, but let me repeat my proposal.
> I think zope's management methods (the potentially destructive ones) 
> should not accept REQUESTs with REQUEST_METHOD "GET".
> This is in accordance with the http/1.1 rfc (reposted from the wiki):
> <snip RFC citation...>
> The win would be that disabling javascipt would make a client save from 
> this form of attack, AFAIK, OTOH I can't think of anything which would 
> break ATM.

While I don't necessarily disagree about making GETs idempotent, 
this still doesn't make you "safe", even with JS turned off.

A quick example: images can be used as form submit buttons. If 
I can get you to visit a page and click on my innocent looking 
image... you're done :)

This is hard, hard, problem. While some good ideas have been 
proposed, there is not really a quick fix that doesn't have 
some downside that some group somewhere considers a 
showstopper :(

Brian Lloyd        [EMAIL PROTECTED]
V.P. Engineering   540.361.1716       
Zope Corporation   http://www.zope.com

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to