Hi,
We got a bug report to the Plone security team, which seems to be a problem in Zope's error handling. By manipulating the Plone search in a way that it triggers a UnicodeDecodeError (which we should of course fix on our end), it falls back to the standard Zope error page, which then executes Javascript in the browser.
The original report below:
> The following Scripts and respective Query String parameters are
> vulnerable;
>
> sitename changed to xxx
>
> Vulnerable Application: http://xxx.dundeecity.gov.uk
>
> Example URL:
> http://xxx.dundeecity.gov.uk:80/search_rss?Creator=admin&sort_on=Date%22%3E%3Csc%80ript%3Ealert(document.cookie)%3C/s%81script%3E&sort_order=reverse
>
> Vulnerable Param: sort_on
> Weight: 8 (out of 10)
>
> Example URL:
> http://xxx.dundeecity.gov.uk:80/search?Creator=admin&sort_on=Date%22%3E%3Csc%80ript%3Ealert(document.cookie)%3C/s%81script%3E&sort_order=reverse
>
> Vulnerable Param: sort_on
> Weight: 8 (out of 10)
>
>
> Both these examples return the following html to the browser;
>
> Unknown sort_on index (Date"><sc�ript>alert(document.cookie)</s�script>)
> (Also, the following error occurred while attempting to render the standard
> error message, please see the event log for full details: 'ascii' codec
> can't encode character u'\ufffd' in position 227: ordinal not in range(128))
Alec Mitchell says:
> It appears to be a real issue. The combination of a UnicodeDecode
> error preventing the normal error display and the traceback sending
> unquoted html to the browser. Not sure we can fix easily at the Plone
> level though. See for example:
> http://www.ploneconf2009.org/search_rss?Creator=admin&sort_on=%80Date%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Es%80&sort_order=reverse
I can not trigger this issue - neither with the given link to ploneconf2009.de nor on one of our sites.