On Fri, 16 Jan 2004, Alan Milligan wrote:

> Tres Seaver wrote:
> > That change is one of a number which are designed to prevent 
> > cross-site scripting attacks;  DTML is particularly vulnerable to such 
> > cracks, as it doesn't force the template writer to choose the source 
> > from which the name will be bound.
> >
> > Your scenario is actually quite close to the posited attack:  imagine 
> > that user 'black_hat' inserts a document whose title has nasty 
> > javascript in an 'onload' attribute of a tag;  such javascript can be 
> > used, for instance, to steal cookies, to post to 'manage_shutdown', etc.
> >
> > Tres. 
> Wooahh
> Who are we trying to protect ourselves from??

We are protecting ourselves from nasty URLs written by anyone on the web. 
Because DTML is so implicit, it is conceivable that an URL like the 
following might kill your site (or worse!):


For a black hat to exploit your site, he only needs to convince you to
follow the link.  This is what is known as a cross-site scripting bug and
it's a widespread problem for all dynamic web servers like Zope.  People
are really concerned about it.  The only cure is to HTML-quote by default.  



Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to