Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0155
A number of vulnerabilities have been identified in Plone
7 November 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Plone
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote with User Interaction
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Member content until: Friday, December 7 2012
OVERVIEW
A number of vulnerabilities have been identified in all current Plone
versions prior to PloneHotfix20121106. [1]
IMPACT
The vendor has provided the following descriptions of these
vulnerabilities:
"Restricted Python injection
Anonymous users can cause an arbitrary Python statement to be run
when the admin interface is accessed. No breakout of the in-built
Python sandbox is possible, but it will run with the privileges of
that admin user." [2]
"Reflexive HTTP header injection
A crafted URL can contain arbitrary HTTP headers that are then
returned to the user. Can be used to log users out, for example." [2]
"Restricted Python sandbox escape
Accidental exposure of the sandbox whitelisting function when
imported from a certain, nonstandard location." [2]
"Restricted Python injection
Crafted URL allows arbitrary (sandboxed) Python to be run." [2]
"Partial restricted Python sandbox escape
Incomplete security declarations on certain objects allow permission
checking to be bypassed on some functions." [2]
"Reflexive XSS
Crafted URL allows a passed full response body (or a redirect
target) to be returned by accidental exposure of internal methods of
the response file handle on a URL." [2]
"Partial permissions bypass
Can be used to access a subset of attributes of unpublished content
items through a crafted URL, if that content's path is known" [2]
"Restricted Python sandbox escape
Escape from sandbox through a utility function not checking that it
has valid inputs, allowing access to the trusted builtins" [2]
"Reflexive XSS
Utility function is callable directly through a crafted URL and
accepts a default value." [2]
"Restricted Python injection
Crafted URL allows arbitrary (sandboxed) Python to be run" [2]
"DoS through unsanitised inputs into Kupu" [2]
"Anonymous users can list user account names
A method of the membership database is insufficiently protected,
allowing users who do not have permission to enumerate users to do
so through a crafted URL" [2]
"Partial denial of service through Collections functionality
This DoS causes large amounts of IO and cache churn, meaning it can
be used to DoS a site if accessed repeatedly" [2]
"Partial denial of service through internal function
DoS through exposed utility function" [2]
"Anonymous users can batch change titles of content items
The batch id change script does not correctly handle anonymous users
attempting to change titles but leaving the ids the same correctly.
Allows anonymous users to craft a POST request (once they've found a
valid CSRF token) to change content titles arbitrarily." [2]
"Crafted URL allows downloading of BLOBs that are not visible to the
user
BLOBs stored on custom content types can be accessed through a
non-standard URL, bypassing the declared permission check" [2]
"Persistent XSS via filtering bypass
HTML content crafted by users may allow execution of arbitrary
javascript on specific browsers." [2]
"Users connected through FTP can list hidden folder contents
Users can read the contents of folders (but not access the files
themselves) that they would otherwise be unable to access." [2]
"Persistent XSS
Crafted URLs allow arbitrary strings (including full HTML) to be
stored in memory against a key, that can then be read out again on a
related URL." [2]
"Attempting to access a view with no name returns an internal data
structure
Some types of URL can be ambiguous, the unambiguous form allows
anonymous views. On some content types an anonymous view lookup
returns a private data structure, which under certain circumstances
may be used to read out confidential data." [2]
"DoS through RSS on private folder
A specially crafted URL invoking the RSS feed for a folder the user
doesn't have access to (but knows the path of) can cause an infinite
loop, trying up a server thread." [2]
"Timing attack in password validation
The equality test in our authentication system is not constant time,
allowing a user with a sufficiently stable, fast connection to the
server to check hash prefixes" [2]
"PRNG isn't reseeded
We are using a Python random (seeded via system random), not system
random, which in a long running process means it isn't reseeded. In
addition, our error pages leak random numbers, allowing the state of
the PRNG used for password resets to be derived." [2]
"Form detail exposure
A vulnerability in z3c.form that leaks default values of form fields
through crafted URLs." [2]
MITIGATION
The vendor recommends applying PloneHotfix20121106 to correct these
issues. [1]
REFERENCES
[1] Security vulnerability: 20121106 - Multiple vectors
http://plone.org/products/plone/security/advisories/20121106-announcement
[2] Security vulnerability announcement: 20121106 - Multiple vectors
http://plone.org/products/plone/security/advisories/20121106
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUJn7je4yVqjM2NGpAQLsiA//SqL60lSmM/eYpc/nEOkAcbk60sTX8SQG
Eq7j0XyQzVoOP44h6tsgnue0aLX+p0VLDPHK1wINY+KzhpPPmrMlFP4XrwQFZ3Fa
iu1JYtkaXWx2L4SIS8BjDtiIpd51gD1OToJeBjzY7Odkkj3pqSJSEVvG1GIU6CiC
TnWrhSulF1HvGCtI01886i0eOcSzFHhJc5fpInkRTzHF2fBMbV3MjPxAdU40T2bT
1DA7AFQCEvrMEg9vZdtndEriOu2+KBX1x47WH4ajuiElws3AmiRGWbSuEamOhQI/
rtXeghtDwINmpTNqBmQLsEd3zmPgT6J+0RX0wiTmnP0OXpmtIgVBg/X3VAdG+m4c
/VKI7TQ34PgekMzidVn32cZemmV5bhrE94WcvH/qQFzIoZYSLG1K2qOBnAE+QsHG
yqKcagSjenuwGA8FInkg3BiofZ1t1FK7Epqdppo+sCh3bUUWBadh3UP/gBMJv89Y
C/fWwR+rYo2SOuxRf8vNrKqYbpYccwvQn5tOQCpTsALKWRMJWfTSTJ4qWWvZWSBY
gPFRsUihk2f+mbJwLr9HE8bhr6whMmFb89dG4ttO2mAKT8hG74xAknQPqeEUDaZE
pWhCKAKTGfWt+MIQx3UhwdX9R5Kg/CncpgCYWqIUatWzodvxF571VaQ8TK0b2kU2
cxumYZAaGWc=
=7Mo4
-----END PGP SIGNATURE-----