-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Shane Hathaway wrote: | | We are protecting ourselves from nasty URLs written by anyone on the web. | Because DTML is so implicit, it is conceivable that an URL like the | following might kill your site (or worse!): | | http://zope.example.com/?title=<script>document.location=/Control_Panel/manage_shutdown</script> | | For a black hat to exploit your site, he only needs to convince you to | follow the link. This is what is known as a cross-site scripting bug and | it's a widespread problem for all dynamic web servers like Zope. People | are really concerned about it. The only cure is to HTML-quote by default. | FWIW: | | http://www.cgisecurity.com/articles/xss-faq.shtml | | Shane
The affixed patch makes it impossible to call manage_form_title directly, and thus elimates xss attacks on it.
This method (and probably loads more) wasn't designed to be public, but inherited this feature by virtue of being implemented as DTML.
Can someone please check and apply this patch (and back out the patch html-quoting the form-title on manage_form_title.dtml) :)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org Comment:
iD8DBQFACk1pCfroLk4EZpkRAtt/AJ9dm/I41iFTgsmtgeBUNN8B5Le8RgCfX9uz vMqNG+w+QM8ioj1lENj/3q4= =4Ukw -----END PGP SIGNATURE-----
--- App/Management.py Sun Jan 18 19:43:55 2004 +++ App/Management.py.save Sun Jan 18 19:30:07 2004 @@ -173,14 +173,11 @@ manage_page_header=DTMLFile('dtml/manage_page_header', globals()) manage_page_footer=DTMLFile('dtml/manage_page_footer', globals()) - _manage_form_title =DTMLFile('dtml/manage_form_title', globals(), + manage_form_title =DTMLFile('dtml/manage_form_title', globals(), form_title='Add Form', help_product=None, help_topic=None) - def manage_form_title(self, *args, **kw): - return self._manage_form_title(self, *args, **kw) - - _manage_form_title._setFuncSignature( + manage_form_title._setFuncSignature( varnames=('form_title', 'help_product', 'help_topic') ) manage_form_title__roles__ = None
_______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )