XSS Vulnerability in ZMI

Bug #490514 reported by Steven L Smith
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Fix Released
Undecided
Unassigned

Bug Description

There is an XSS vulnerability in ZMI pages that use the manage_tabs_message querystring variable. Inputting html or javascript into this variable is not escaped, and will render on the page. Users need to be logged in for the attack to be possible.

For example, this page would have a big blinking "This is a problem" on it, if there were a server called "your-zope-server-here" that had Plone on it...

http://your-zope-server-here:8080/Plone/portal_setup/manage_snapshots?manage_tabs_message=%3Ch1%20style=%22text-decoration:blink%22%3EThis%20is%20a%20problem%3C/h1%3E

Revision history for this message
Steven L Smith (ssmith46) wrote :
visibility: private → public
Revision history for this message
Tres Seaver (tseaver) wrote : Re: [zope2-tracker] [Bug 490514] Re: XSS Vulnerability in ZMI

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven L Smith wrote:
> ** Attachment added: "Screenshot of the problem"
> http://launchpadlibrarian.net/36268764/xss_in_zope.jpg
>
> ** Visibility changed to: Public
>

 status confirmed
 assigned tseaver

This bug is not actually present in the default ZMI, where the
views are all implemented as DTMLFiles. Rather, it shows up in
add-on product code (such as GenericSetup) which use
PageTemplateFiles for the ZMI, but call into the existing DTML
header and footer templates so::

  <h1 tal:replace="structure here/manage_page_header">HEADER</h1>
  <h1 tal:replace="structure here/manage_tabs">TABS</h1>
  ...
  <h1 tal:replace="structure here/manage_page_footer">FOOTER</h1>

In this case, the code in the call_with_ns function (in
Products.PageTemplates.ZRPythonExpr) fails to ensure that "tainting"
is preserved.

The attached patch adds a test for this case and fixes the bug. I plan
to check the patch in on the 2.10, 2.11, and 2.12 branches and on the trunk.

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksUUGoACgkQ+gerLs4ltQ7OzQCbBZ/WTM0C5kfRmEnYzxnIu4ns
Bd4AoNtahkj6k9Xek1De5H51HmCN2cux
=yIGq
-----END PGP SIGNATURE-----

Changed in zope2:
status: New → Confirmed
Tres Seaver (tseaver)
Changed in zope2:
status: Confirmed → Fix Committed
Changed in zope2:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.