misplaced trust in Host header
Zope implicitly trusts the Host header from client requests, and uses its
value to construct the results from absolute_url(), and the URL*, BASE*,
and REQUESTPATH* HTTPRequest object variables. Unfortunately that behavior
allows malicious requests to poison server-side caches, tamper with log
files, and until recently posed a cross-site-
Ideally Zope would know which domains its responsible for and do something
sensible with requests for resources outside of its jurisdiction.
Several partial workarounds exist, but they tend to be problematic.
Using a VirtualHostMonster reduces the risk from malicious Host headers
provided the gateway server does host validation. Unfortunately VHMs
obtain their host data via the traversal stack, which can't be trusted
either, which leaves us somewhat screwed one way or the other.
References to bear in mind:
issue #813, where all this started
This bug is security related, but it should remain public (as should all bugs IMO.)