Re: CVE-2011-4924 assignment notification -- Zope2, Zope3: Incomplete upstream fix for CVE-2010-1104 issue

[Jan Lieskovsky <jlieskov () redhat com>]

On 01/19/2012 01:42 PM, Yves-Alexis Perez wrote:
> On jeu., 2012-01-19 at 13:12 +0100, Jan Lieskovsky wrote:
> > A cross site scripting (XSS) flaw was found in the way Zope2 and Zope3
> > performed error messages sanitization. If a remote attacker could trick a user,
> > who was logged into Zope2, into visiting a specially-crafted URL, it would lead
> > to arbitrary web script execution in the context of user's Zope2 session. If a
> > remote attacker could trick a user, who was logged into Zope3, into examining
> > error entries for particular Zope3 instance, it would lead to arbitrary web
> > script execution in the context of user's Zope3 session.
>
> Does this mean CVE-2010-1104 applies to Zope3 too, or the fix for this
> CVE created CVE-2011-4924?

The former. The CVE-2010-1104 issue was applicable to Zope3 too (just wasn't
described in the description). The reason probably being the CVE-2010-1104
to had been reported against Zope2 version only (according to particular
LaunchPad bug).

Zope2 patch for CVE-2010-1104 was incomplete (still allowing XSS). Not sure,
if there was some Zope3 patch for CVE-2010-1104 applied.

Jan-Wijbrand Kolman could you clarify and help us to understand original
CVE-2010-1104 situation in Zope3?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> Regards,