XSS Vulnerability in ZMI
Bug #490514 reported by
Steven L Smith
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
There is an XSS vulnerability in ZMI pages that use the manage_tabs_message querystring variable. Inputting html or javascript into this variable is not escaped, and will render on the page. Users need to be logged in for the attack to be possible.
For example, this page would have a big blinking "This is a problem" on it, if there were a server called "your-zope-
Changed in zope2: | |
status: | Confirmed → Fix Committed |
Changed in zope2: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steven L Smith wrote: launchpadlibrar ian.net/ 36268764/ xss_in_ zope.jpg
> ** Attachment added: "Screenshot of the problem"
> http://
>
> ** Visibility changed to: Public
>
status confirmed
assigned tseaver
This bug is not actually present in the default ZMI, where the
views are all implemented as DTMLFiles. Rather, it shows up in
add-on product code (such as GenericSetup) which use
PageTemplateFiles for the ZMI, but call into the existing DTML
header and footer templates so::
<h1 tal:replace= "structure here/manage_ page_header" >HEADER< /h1> "structure here/manage_ tabs">TABS< /h1> "structure here/manage_ page_footer" >FOOTER< /h1>
<h1 tal:replace=
...
<h1 tal:replace=
In this case, the code in the call_with_ns function (in PageTemplates. ZRPythonExpr) fails to ensure that "tainting"
Products.
is preserved.
The attached patch adds a test for this case and fixes the bug. I plan
to check the patch in on the 2.10, 2.11, and 2.12 branches and on the trunk.
Tres. ======= ======= ======= ======= ======= ======= ======= ======= ==== palladion. com enigmail. mozdev. org
- --
=======
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAks UUGoACgkQ+ gerLs4ltQ7OzQCb BZ/WTM0C5kfRmEn YzxnIu4ns ek1De5H51HmCN2c ux
Bd4AoNtahkj6k9X
=yIGq
-----END PGP SIGNATURE-----