Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon,  2 Mar 2015 09:37:15 -0500 (EST)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, tseaver@...ladion.com, matt@...thewwilkes.name, nathan@...gheem.us
Subject: Re: XSS In Zope

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.launchpad.net/zope2/+bug/490514
> https://github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331d

> There is an XSS vulnerability in ZMI pages that use the
> manage_tabs_message querystring variable.

> This bug is not actually present in the default ZMI, where the
> views are all implemented as DTMLFiles. Rather, it shows up in
> add-on product code (such as GenericSetup) which use
> PageTemplateFiles for the ZMI, but call into the existing DTML
> header and footer templates so::
> 
>   <h1 tal:replace="structure here/manage_page_header">HEADER</h1>
>   <h1 tal:replace="structure here/manage_tabs">TABS</h1>
>   ...
>   <h1 tal:replace="structure here/manage_page_footer">FOOTER</h1>
> 
> In this case, the code in the call_with_ns function (in
> Products.PageTemplates.ZRPythonExpr) fails to ensure that "tainting"
> is preserved.

> preserve tainting when calling into DTML from ZPT.

> src/Products/PageTemplates/ZRPythonExpr.py
> +   if hasattr(request, 'taintWrapper'):
> +       request = request.taintWrapper()

Use CVE-2009-5145.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU9HUHAAoJEKllVAevmvmsen4H/j/LhKRNPKej5EjMgaIEgQHu
VRfuIRy21r1xBJLMtN+JHofRdknvjHFbVBlzI2rRyGUd8YwOiA0HM2sz1/sR4F6z
gwm97+XDhi6YHIJHHlMhGOM1rrlx7nu0HHgWxwNFL+7LxbuyaZUYsskvUopyTD/J
Y60vg4lkkXf0jIphw1Qj8Yhzk0OIvKxjUL1V+Fd8aiLiHoXDA6fovkVI9be0deWB
OCeHpXE2DHpvW9IZLio+QsBaajHxfiKc2ib2k4ilBwxE6B4c7OpsBbgC6A6YHMhm
WtqK8h8pRxX+IwISSZS1Ar+OSlw9lKuSox09s3tZyoLpmYjhPeEisDm0YdbxPwE=
=ankS
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ