XSS Vulnerability in ZMI
Bug #490514 reported by
Steven L Smith
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Zope 2 |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
There is an XSS vulnerability in ZMI pages that use the manage_tabs_message querystring variable. Inputting html or javascript into this variable is not escaped, and will render on the page. Users need to be logged in for the attack to be possible.
For example, this page would have a big blinking "This is a problem" on it, if there were a server called "your-zope-
Revision history for this message
| Tres Seaver (tseaver) wrote Re: [zope2-tracker] [Bug 490514] Re: XSS Vulnerability in ZMI | #2 |
| Changed in zope2: | |
| status: | New → Confirmed |
| Changed in zope2: | |
| status: | Confirmed → Fix Committed |
| Changed in zope2: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steven L Smith wrote:
> ** Attachment added: "Screenshot of the problem"
> http://
>
> ** Visibility changed to: Public
>
status confirmed
assigned tseaver
This bug is not actually present in the default ZMI, where the
views are all implemented as DTMLFiles. Rather, it shows up in
add-on product code (such as GenericSetup) which use
PageTemplateFiles for the ZMI, but call into the existing DTML
header and footer templates so::
<h1 tal:replace=
<h1 tal:replace=
...
<h1 tal:replace=
In this case, the code in the call_with_ns function (in
Products.
is preserved.
The attached patch adds a test for this case and fixes the bug. I plan
to check the patch in on the 2.10, 2.11, and 2.12 branches and on the trunk.
Tres.
- --
=======
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAks
Bd4AoNtahkj6k9X
=yIGq
-----END PGP SIGNATURE-----