Zope 2

XSS cross scripting context.restrictedTraverse

Bug #502572 reported by olpat on 2010-01-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Zope 2	Invalid	Undecided	Unassigned

Bug Description

considere two zope folders:
one-----
|
two |

In folder one i have a python script that use:

fold_one=context.restrictedTraverse('/one')

with a parameter id in the parameter list:

I can retrieve two with this:

fold_two=fold_one [id] when i submit in my browser:

http://mysite.com/one/pythonscript?id='two'

but i can make a crossscripting attempt with:

http://mysite.com/one/pythonscript?id=<script>alert('XSS attempt')</script>
I have verified this in zope 2.11.4, zope 2.9.6

Revision history for this message

olpat (briguetp) wrote on 2010-01-06:

you don't have to return anything from the script. Only the line:
fold_two=fold_one[id]
returns a page with the javascript code.

Revision history for this message

Hanno Schlichting (hannosch) wrote on 2010-06-13:

Indeed, you shouldn't take untrusted data like query strings and use them unconditionally in your code. Proper quoting in your script is in order here.

Changed in zope2:
status:	New → Invalid
security vulnerability:	yes → no
visibility:	private → public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.