Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0086.2 Multiple vulnerabilities have been identified in Plone and Zope 13 October 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Plone Zope2 Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-7140 CVE-2016-7139 CVE-2016-7138 CVE-2016-7136 Revision History: October 13 2016: Added CVE numbers September 6 2016: Initial Release OVERVIEW A number of vulnerabilities have been identified in Plone and Zope2 prior to Hotfix 20160830. [1] IMPACT The vendor has provided the following information: "In multiple places, Zope2's ZMI pages do not properly escape user input." [2] "In multiple places, Zope2's ZMI pages do not properly escape user input." [3] "Plone's URL checking infrastructure includes a method for checking if URLs valid and located in the Plone site. By passing javascript into this specially crafted url, XSS can be achieved." [4] "In multiple places, Plone blindly uses the referer header to redirect a user to the next page after a particular action. An attacker could utilize this to draw a user into a redirection attack." [5] "z3c.form will currently accept data from GET requests when the form is supposed to be POST. This allows a user to inject a potential XSS attack into a form. With certain widgets in Plone admin forms, the input is expected to be safe and can cause a reflexive XSS attack. Additionally, there is potential for an attack that will trick a user into saving a persistent XSS." [6] "By using relative paths and guessing locations on a server Plone is installed on, an attacker can read data from a target server that the process running plone has permission to read. The attacker needs administrator privileges on the Plone site to perform this attack." [7] MITIGATION The vendor recommends applying Hotfix 20160830 to correct these issues. [1] REFERENCES [1] Security patch released: 20160830 https://plone.org/security/announcements/security-patch-released-20160830 [2] Non-Persistent XSS in Zope2 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-zope2 [3] Non-Persistent XSS in Plone https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone [4] Non-Persistent XSS in Plone https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1 [5] Open Redirection in Plone https://plone.org/security/hotfix/20160830/open-redirection-in-plone [6] Non-Persistent XSS in Plone forms https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms [7] Filesystem information leak https://plone.org/security/hotfix/20160830/filesystem-information-leak AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV/7kUox+lLeg9Ub1AQh0mA/+P1DuEA5zjg85VwqcmCwppNpfkwTq32lC ytdYWH6+m9WfQ4soVqT924v0dOtj8kCvZ1Cx5Mzi2jwNMm+oisA2fifnHCw/CpbD HPTW/TLn48MStLfsIbJNB9jMN7nMV+au2u6qF29IhC8luEZiy+yVgyjAorUFFO80 52nC46qGpuYqlivVDBf2CA7unK360dzsIa1fT7ht/IQoGf39Oo9p7x2lNa69roEE qjNdHRChMgkaFJlkJZJkSBBPVAMpSlyTHVLxUMTmgN4h7/f0D7MGuVzNgmzYnHYr 3Q4K3nwZSoXm+iUkM3Fmvli2UfiFyZUzuhtg+k/w/Ivv4rLcFK5I/Bw/bm+s/h2H yaW40mJ1HNQ9KT1nH+FADEWtI0gp4j33Cz1Vc2QKVXu3CL6aZhlPOvbLhzxNPGjI XXPhCAR/0oByAVc42nUe2zKRvalWHnkxSJESYeZf4/p52RN4WRQ5J6w1MJAfR2vR g34Ksym6iWBCxFh6Ggsyil8FRvxnrYu4bXVxbONihrm9dfIp1eiYlLjgKf5z2rRQ /4Wqosi4Jzp/C8wlG/WdQXnQCqiDUcMDz7LPVdYyQL4TyNrDmofbyvnUbJkXL8QH 3gO0XLiwVBBFoxNIqiX9o6Dg6vfCNJmO/q3wAfKTebRIHqn72vXHmlF6Fp+f/0MC jrTiRW/WvkU= =CH06 -----END PGP SIGNATURE-----