Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0155 A number of vulnerabilities have been identified in Plone 7 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Plone Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Administrator Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade Member content until: Friday, December 7 2012 OVERVIEW A number of vulnerabilities have been identified in all current Plone versions prior to PloneHotfix20121106. [1] IMPACT The vendor has provided the following descriptions of these vulnerabilities: "Restricted Python injection Anonymous users can cause an arbitrary Python statement to be run when the admin interface is accessed. No breakout of the in-built Python sandbox is possible, but it will run with the privileges of that admin user." [2] "Reflexive HTTP header injection A crafted URL can contain arbitrary HTTP headers that are then returned to the user. Can be used to log users out, for example." [2] "Restricted Python sandbox escape Accidental exposure of the sandbox whitelisting function when imported from a certain, nonstandard location." [2] "Restricted Python injection Crafted URL allows arbitrary (sandboxed) Python to be run." [2] "Partial restricted Python sandbox escape Incomplete security declarations on certain objects allow permission checking to be bypassed on some functions." [2] "Reflexive XSS Crafted URL allows a passed full response body (or a redirect target) to be returned by accidental exposure of internal methods of the response file handle on a URL." [2] "Partial permissions bypass Can be used to access a subset of attributes of unpublished content items through a crafted URL, if that content's path is known" [2] "Restricted Python sandbox escape Escape from sandbox through a utility function not checking that it has valid inputs, allowing access to the trusted builtins" [2] "Reflexive XSS Utility function is callable directly through a crafted URL and accepts a default value." [2] "Restricted Python injection Crafted URL allows arbitrary (sandboxed) Python to be run" [2] "DoS through unsanitised inputs into Kupu" [2] "Anonymous users can list user account names A method of the membership database is insufficiently protected, allowing users who do not have permission to enumerate users to do so through a crafted URL" [2] "Partial denial of service through Collections functionality This DoS causes large amounts of IO and cache churn, meaning it can be used to DoS a site if accessed repeatedly" [2] "Partial denial of service through internal function DoS through exposed utility function" [2] "Anonymous users can batch change titles of content items The batch id change script does not correctly handle anonymous users attempting to change titles but leaving the ids the same correctly. Allows anonymous users to craft a POST request (once they've found a valid CSRF token) to change content titles arbitrarily." [2] "Crafted URL allows downloading of BLOBs that are not visible to the user BLOBs stored on custom content types can be accessed through a non-standard URL, bypassing the declared permission check" [2] "Persistent XSS via filtering bypass HTML content crafted by users may allow execution of arbitrary javascript on specific browsers." [2] "Users connected through FTP can list hidden folder contents Users can read the contents of folders (but not access the files themselves) that they would otherwise be unable to access." [2] "Persistent XSS Crafted URLs allow arbitrary strings (including full HTML) to be stored in memory against a key, that can then be read out again on a related URL." [2] "Attempting to access a view with no name returns an internal data structure Some types of URL can be ambiguous, the unambiguous form allows anonymous views. On some content types an anonymous view lookup returns a private data structure, which under certain circumstances may be used to read out confidential data." [2] "DoS through RSS on private folder A specially crafted URL invoking the RSS feed for a folder the user doesn't have access to (but knows the path of) can cause an infinite loop, trying up a server thread." [2] "Timing attack in password validation The equality test in our authentication system is not constant time, allowing a user with a sufficiently stable, fast connection to the server to check hash prefixes" [2] "PRNG isn't reseeded We are using a Python random (seeded via system random), not system random, which in a long running process means it isn't reseeded. In addition, our error pages leak random numbers, allowing the state of the PRNG used for password resets to be derived." [2] "Form detail exposure A vulnerability in z3c.form that leaks default values of form fields through crafted URLs." [2] MITIGATION The vendor recommends applying PloneHotfix20121106 to correct these issues. [1] REFERENCES [1] Security vulnerability: 20121106 - Multiple vectors http://plone.org/products/plone/security/advisories/20121106-announcement [2] Security vulnerability announcement: 20121106 - Multiple vectors http://plone.org/products/plone/security/advisories/20121106 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUJn7je4yVqjM2NGpAQLsiA//SqL60lSmM/eYpc/nEOkAcbk60sTX8SQG Eq7j0XyQzVoOP44h6tsgnue0aLX+p0VLDPHK1wINY+KzhpPPmrMlFP4XrwQFZ3Fa iu1JYtkaXWx2L4SIS8BjDtiIpd51gD1OToJeBjzY7Odkkj3pqSJSEVvG1GIU6CiC TnWrhSulF1HvGCtI01886i0eOcSzFHhJc5fpInkRTzHF2fBMbV3MjPxAdU40T2bT 1DA7AFQCEvrMEg9vZdtndEriOu2+KBX1x47WH4ajuiElws3AmiRGWbSuEamOhQI/ rtXeghtDwINmpTNqBmQLsEd3zmPgT6J+0RX0wiTmnP0OXpmtIgVBg/X3VAdG+m4c /VKI7TQ34PgekMzidVn32cZemmV5bhrE94WcvH/qQFzIoZYSLG1K2qOBnAE+QsHG yqKcagSjenuwGA8FInkg3BiofZ1t1FK7Epqdppo+sCh3bUUWBadh3UP/gBMJv89Y C/fWwR+rYo2SOuxRf8vNrKqYbpYccwvQn5tOQCpTsALKWRMJWfTSTJ4qWWvZWSBY gPFRsUihk2f+mbJwLr9HE8bhr6whMmFb89dG4ttO2mAKT8hG74xAknQPqeEUDaZE pWhCKAKTGfWt+MIQx3UhwdX9R5Kg/CncpgCYWqIUatWzodvxF571VaQ8TK0b2kU2 cxumYZAaGWc= =7Mo4 -----END PGP SIGNATURE-----