Tres Seaver wrote: > Whithout the fix, virtually every Zope site in the world is vulnerable > to URL-based cross-site scripting exploits. For instance, any URL which > contains invalid form variable marshalling can generate an error page > which includes the erroneous value, unquoted. E.g.: > > ><URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E>
I think an URL with an inconspicuous mispelling of the domain name is a far greater vulnerability than cross-site-scripting. Consider: http://barnesandnohle.com/freebooks.html An attacker could set up that misleading domain name then spam people to order free books, requiring credit card info for some "book-of-the-month" trick. Some simple scraping of the true site would keep most people from ever thinking there was a problem. In fact, you don't even have to misspell it: http://barnes-andnoble.com/freebooks.html This affects the entire web and every piece of software involved in it. I just want to keep the security worries in check. Let me ramble for a bit... We've released a lot of hotfixes, but *none* of the vulnerabilities could give an attacker root access, and none of them could give console access to anonymous users AFAIK. All of the vulnerabilities violated Zope's security policy, but Zope's security policy is constrained by system security and other safeguards. People outside the Zope community don't know that, so a lot have labeled Zope as too insecure to use. The reality is that we've never even had an exploitable buffer overrun. :-) We should avoid sending the wrong message by making a hotfix for every little thing. Shane _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
