[Zope-dev] Vulnerability: attacking can get file list and dir ectory

Shane Hathaway shane@zope.com
Mon, 24 Sep 2001 14:47:20 -0400


sean.upton@uniontrib.com wrote:

> Personally, I think this really should be an integration issue instead of a
> Zope issue: use a front-end proxy server (i.e. Squid) and set up ACLs to
> prevent this...


This hasn't been fixed because it's not well understood.  Javascript can 
POST an invisible form, AFAIK.  The problem occurs on the browsers of 
users who are *already authenticated*.  It has nothing to do with Zope 
or any server software, really.

Let's say I wanted to boost a stock price using a client-side trojan.  I 
could post a page that gives the details about some fictitious seminar 
that helps people do better in the stock market.  I could advertise my 
page on a stock trading site.

I could add a frame of height 0 to this page.  The frame would invisibly 
  make a request to the stock trading site that would buy a certain 
stock.  If I use an anonymizer, I might be able to make a few bucks.

It would work because the unknowing visitor would be logged in with a 
cookie.  The script acts as an "agent" for the user.  The problem is 
that there is no way for the stock trading site to tell the difference 
between the user and the agent.

I don't know of any actual exploits, but I think it's a much more 
serious issue than revealing paths. :-)

Shane