oss-sec mailing list archives
Re: XSS In Zope
From: cve-assign () mitre org
Date: Mon, 2 Mar 2015 09:37:15 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://bugs.launchpad.net/zope2/+bug/490514 https://github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331d
There is an XSS vulnerability in ZMI pages that use the manage_tabs_message querystring variable.
This bug is not actually present in the default ZMI, where the views are all implemented as DTMLFiles. Rather, it shows up in add-on product code (such as GenericSetup) which use PageTemplateFiles for the ZMI, but call into the existing DTML header and footer templates so:: <h1 tal:replace="structure here/manage_page_header">HEADER</h1> <h1 tal:replace="structure here/manage_tabs">TABS</h1> ... <h1 tal:replace="structure here/manage_page_footer">FOOTER</h1> In this case, the code in the call_with_ns function (in Products.PageTemplates.ZRPythonExpr) fails to ensure that "tainting" is preserved.
preserve tainting when calling into DTML from ZPT.
src/Products/PageTemplates/ZRPythonExpr.py + if hasattr(request, 'taintWrapper'): + request = request.taintWrapper()
Use CVE-2009-5145. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU9HUHAAoJEKllVAevmvmsen4H/j/LhKRNPKej5EjMgaIEgQHu VRfuIRy21r1xBJLMtN+JHofRdknvjHFbVBlzI2rRyGUd8YwOiA0HM2sz1/sR4F6z gwm97+XDhi6YHIJHHlMhGOM1rrlx7nu0HHgWxwNFL+7LxbuyaZUYsskvUopyTD/J Y60vg4lkkXf0jIphw1Qj8Yhzk0OIvKxjUL1V+Fd8aiLiHoXDA6fovkVI9be0deWB OCeHpXE2DHpvW9IZLio+QsBaajHxfiKc2ib2k4ilBwxE6B4c7OpsBbgC6A6YHMhm WtqK8h8pRxX+IwISSZS1Ar+OSlw9lKuSox09s3tZyoLpmYjhPeEisDm0YdbxPwE= =ankS -----END PGP SIGNATURE-----
Current thread:
- XSS In Zope Kurt Seifried (Feb 26)
- Re: XSS In Zope cve-assign (Mar 02)