Hash: SHA1

                         AUSCERT Security Bulletin

         A number of vulnerabilities have been identified in Plone
                              7 November 2012


        AusCERT Security Bulletin Summary

Product:              Plone
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Administrator Compromise        -- Remote/Unauthenticated      
                      Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Modify Arbitrary Files          -- Remote/Unauthenticated      
                      Denial of Service               -- Remote/Unauthenticated      
                      Cross-site Scripting            -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote/Unauthenticated      
                      Unauthorised Access             -- Remote/Unauthenticated      
                      Reduced Security                -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
Member content until: Friday, December  7 2012


        A number of vulnerabilities have been identified in all current Plone
        versions prior to PloneHotfix20121106. [1]


        The vendor has provided the following descriptions of these 
        "Restricted Python injection
        Anonymous users can cause an arbitrary Python statement to be run 
        when the admin interface is accessed. No breakout of the in-built 
        Python sandbox is possible, but it will run with the privileges of 
        that admin user." [2]
        "Reflexive HTTP header injection
        A crafted URL can contain arbitrary HTTP headers that are then 
        returned to the user. Can be used to log users out, for example." [2]
        "Restricted Python sandbox escape
        Accidental exposure of the sandbox whitelisting function when 
        imported from a certain, nonstandard location." [2]
        "Restricted Python injection
        Crafted URL allows arbitrary (sandboxed) Python to be run." [2]
        "Partial restricted Python sandbox escape
        Incomplete security declarations on certain objects allow permission
        checking to be bypassed on some functions." [2]
        "Reflexive XSS
        Crafted URL allows a passed full response body (or a redirect 
        target) to be returned by accidental exposure of internal methods of
        the response file handle on a URL." [2]
        "Partial permissions bypass
        Can be used to access a subset of attributes of unpublished content
        items through a crafted URL, if that content's path is known" [2]
        "Restricted Python sandbox escape
        Escape from sandbox through a utility function not checking that it
        has valid inputs, allowing access to the trusted builtins" [2]
        "Reflexive XSS
        Utility function is callable directly through a crafted URL and 
        accepts a default value." [2]
        "Restricted Python injection
        Crafted URL allows arbitrary (sandboxed) Python to be run" [2]
        "DoS through unsanitised inputs into Kupu" [2]
        "Anonymous users can list user account names
        A method of the membership database is insufficiently protected, 
        allowing users who do not have permission to enumerate users to do 
        so through a crafted URL" [2]
        "Partial denial of service through Collections functionality
        This DoS causes large amounts of IO and cache churn, meaning it can
        be used to DoS a site if accessed repeatedly" [2]
        "Partial denial of service through internal function
        DoS through exposed utility function" [2]
        "Anonymous users can batch change titles of content items
        The batch id change script does not correctly handle anonymous users
        attempting to change titles but leaving the ids the same correctly.
        Allows anonymous users to craft a POST request (once they've found a
        valid CSRF token) to change content titles arbitrarily." [2]
        "Crafted URL allows downloading of BLOBs that are not visible to the
        BLOBs stored on custom content types can be accessed through a 
        non-standard URL, bypassing the declared permission check" [2]
        "Persistent XSS via filtering bypass
        HTML content crafted by users may allow execution of arbitrary 
        javascript on specific browsers." [2]
        "Users connected through FTP can list hidden folder contents
        Users can read the contents of folders (but not access the files 
        themselves) that they would otherwise be unable to access." [2]
        "Persistent XSS
        Crafted URLs allow arbitrary strings (including full HTML) to be 
        stored in memory against a key, that can then be read out again on a
        related URL." [2]
        "Attempting to access a view with no name returns an internal data 
        Some types of URL can be ambiguous, the unambiguous form allows 
        anonymous views. On some content types an anonymous view lookup 
        returns a private data structure, which under certain circumstances
        may be used to read out confidential data." [2]
        "DoS through RSS on private folder
        A specially crafted URL invoking the RSS feed for a folder the user
        doesn't have access to (but knows the path of) can cause an infinite
        loop, trying up a server thread." [2]
        "Timing attack in password validation
        The equality test in our authentication system is not constant time,
        allowing a user with a sufficiently stable, fast connection to the 
        server to check hash prefixes" [2]
        "PRNG isn't reseeded
        We are using a Python random (seeded via system random), not system
        random, which in a long running process means it isn't reseeded. In
        addition, our error pages leak random numbers, allowing the state of
        the PRNG used for password resets to be derived." [2]
        "Form detail exposure
        A vulnerability in z3c.form that leaks default values of form fields
        through crafted URLs." [2]


        The vendor recommends applying PloneHotfix20121106 to correct these
        issues. [1]


        [1] Security vulnerability: 20121106 - Multiple vectors

        [2] Security vulnerability announcement: 20121106 - Multiple vectors

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967