History for TrojanIssueOverview
??changed:
-
Trojan horse issues overview
A problem with the current Zope security model was recently brought
to our attention. The issue involves a way that less privileged site
users with the ability to edit DTML could trick more privileged users
into executing their content, taking actions on behalf of the higher
privileged user that he did not intend (and may not even be aware of).
Managers of Zope sites that allow untrusted users to edit "executable"
content such as !DTMLDocuments, !DTMLMethods or !SQLMethods are strongly
encouraged to read the full document on the "server-side trojan issue".
The document describes the issue in more detail, whether your site may
be affected, what has been put in place to address this in the
forthcoming 2.2.0 release and what operational security measures you
should put in place in the meantime to protect your site from mischief.
We expect to make an alpha of 2.2 available this week.
The full description of the server-side trojan issue is at::
<a href="http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan">
http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan
</a>
Even if your site is not currently affected by the issue, it would be
a good idea to review the changes to the security policy that will be
coming in 2.2, as some existing Zope sites may require tweaking under
the revised policy.
In the course of assessing this issue, we recognized that there is a
much deeper issue that affects *all Web accessible applications*, not
just Zope. We have been calling this the "client-side trojan issue".
It is a totally separate issue that affects the Web as a whole, but is
similar in that it involves ways that content almost anywhere on the
Web can trick you into taking unintended actions on almost any Web
accessible system.
After some preliminary evaluation, this appears to be a pretty complex
issue with roots deep in the current architecture of the Web and no
simple immediate technical solution. We have tested a number of other
Web-based systems and found every one so far to be vulnerable to this
sort of attack. We strongly urge Zope users (or users of any Web-based
system, for that matter!) to read the full document on the client-side
trojan issue that describes the issue in more detail and provides some
initial operational procedures that should be used to reduce risk when
using any Web-managed system (including Zope sites).
A more detailed discussion of the client-side trojan issue is at::
<a href="http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan">
http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan
</a>
Although as noted above we know of no "simple, immediate" solution to
this one, we feel strongly that the web-wide client side trojan issue is
one that demands a technical means of at least mitigating the risks. I
would like to get the Zope community involved in the discussion on this
on the zope-dev list to start working out possible technical ways of
dealing with this.