Trojan horse issues overview
A problem with the current Zope security model was recently brought to our attention. The issue involves a way that less privileged site users with the ability to edit DTML could trick more privileged users into executing their content, taking actions on behalf of the higher privileged user that he did not intend (and may not even be aware of).
Managers of Zope sites that allow untrusted users to edit "executable" content such as DTMLDocuments, DTMLMethods or SQLMethods are strongly encouraged to read the full document on the "server-side trojan issue". The document describes the issue in more detail, whether your site may be affected, what has been put in place to address this in the forthcoming 2.2.0 release and what operational security measures you should put in place in the meantime to protect your site from mischief. We expect to make an alpha of 2.2 available this week.
The full description of the server-side trojan issue is at::
Even if your site is not currently affected by the issue, it would be a good idea to review the changes to the security policy that will be coming in 2.2, as some existing Zope sites may require tweaking under the revised policy.
In the course of assessing this issue, we recognized that there is a much deeper issue that affects all Web accessible applications, not just Zope. We have been calling this the "client-side trojan issue". It is a totally separate issue that affects the Web as a whole, but is similar in that it involves ways that content almost anywhere on the Web can trick you into taking unintended actions on almost any Web accessible system.
After some preliminary evaluation, this appears to be a pretty complex issue with roots deep in the current architecture of the Web and no simple immediate technical solution. We have tested a number of other Web-based systems and found every one so far to be vulnerable to this sort of attack. We strongly urge Zope users (or users of any Web-based system, for that matter!) to read the full document on the client-side trojan issue that describes the issue in more detail and provides some initial operational procedures that should be used to reduce risk when using any Web-managed system (including Zope sites).
A more detailed discussion of the client-side trojan issue is at::
Although as noted above we know of no "simple, immediate" solution to this one, we feel strongly that the web-wide client side trojan issue is one that demands a technical means of at least mitigating the risks. I would like to get the Zope community involved in the discussion on this on the zope-dev list to start working out possible technical ways of dealing with this.