[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request -- Plone: 20130618 Hotfix (multiple vectors)
From:       Jan Lieskovsky <jlieskov () redhat ! com>
Date:       2013-07-31 16:57:55
Message-ID: 2133092372.9599549.1375289875077.JavaMail.root () redhat ! com
[Download RAW message or body]

Hello Kurt, Steve, Mitre CVE assignment team, vendors,

  based on:
    [1] http://plone.org/products/plone/security/advisories/20130618-announcement

and further cooperation with Plone Security Team (many thanks to Matthew Wilkes
for issues review and comments) the [1] issues description is as follows (the *.py
scripts in the summary correspond to files from Plone 20130618 Hotfix that would
be applicable to correct that specific issue. See also Notes for particular cases though):

------
#1  Plone: DoS (infinite loop) by administrator privilege users when retrieving information for \
certain resources (traverser.py)  https://bugzilla.redhat.com/show_bug.cgi?id=978449
    CWE: CWE-835 
    
    A denial of service flaw was found in the way Plone, a user friendly and powerful content \
management system, performed particular resource related information  retrieval in certain \
cases (request interaction with internal traversal machinery). A remote attacker, having \
administrator privilege to certain subset of Plone  action screens / functionality, could use \
this flaw to cause uncontrolled resource consumption (infinite loop) by issuing a \
specially-crafted request.

-----
#2  Plone: Privilege escalation due improper authorization (dataitems.py, get.py, \
traverseName.py)  https://bugzilla.redhat.com/show_bug.cgi?id=978450
    CWE: CWE-285

    A privilege escalation flaw was found in the way Plone, a user friendly and powerful \
content management system, enforced authorization for users having  administrator privilege \
access for a subtree of a particular node (access to node above that subtree was granted even \
when the user in question has had  administrator privilege only for a subtree of that node). A \
remote attacker, with administrator user privilege to certain subtree of Plone actions /  \
functionality, could use this flaw to access / alter also higher nodes.

-----
#3  Plone: Multiple cross-site scripting (XSS) flaws (spamProtect.py, pts.py, request.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978451
    CWE: CWE-79
  
    Multiple cross-site scripting (XSS) flaws were found in the way Plone, a user friendly and \
powerful content management system, performed sanitization of user  provided input in web \
forms. A remote attacker could provide a specially-crafted URL that, when visited by \
authenticated Plone user could lead to arbitrary  HTML or web script execution in the context \
of Plone user's session.

-----
#4  Plone: Information exposure due improper access control enforcement when generating zip \
archives (zip.py)  https://bugzilla.redhat.com/show_bug.cgi?id=978453
    CWE: CWE-200, Information Exposure
         CWE-284: Improper Access Control
         CWE-285: Improper Authorization

    An information exposure flaw was found in the way zip archives generation functionality of \
Plone, a user friendly and powerful content management system,  enforced user access control \
privileges on the content to be included into the archive. A remote attacker could use this \
flaw to obtain sensitive information  (by generating a zip archive from content they would not \
be otherwise able to access).

-----
#5  Plone: Ability to spoof emails (sendto.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978464
    CWE: CWE-749

    A security flaw was found in the way Plone, a user friendly and powerful content management \
system, performed certain provided data validation when sending  emails. A remote attacker, \
valid Plone user, could use this flaw to conduct email spoofing attacks.

-----
#6  Plone: Anonymous users capable to hide certain fields from content edit forms \
(typeswidget.py)  https://bugzilla.redhat.com/show_bug.cgi?id=978469
    CWE: CWE-302: Authentication Bypass by Assumed-Immutable Data

    A security flaw was found in the way Plone, a user friendly and powerful content management \
system, enforced immutable setting on certain content edit forms.  A remote attacker could use \
this flaw to provide a specially-crafted URL that would (in a non-persistent way) hide certain \
fields from these content edit forms,  possibly leading to scenario such altered forms to be \
erroneously accepted by authenticated Plone user as valid.

-----
#7  Plone: File system path exposure (wysiwyg.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978470
    CWE: CWE-209: Information Exposure Through an Error Message

    A file system path exposure flaw was found in the way Plone, a user friendly and powerful \
content management system, used to present certain error messages  in the wysiwyg component. A \
remote attacker could provide a specially-crafted URL that, when processed would lead to \
exposure of file system path (for the  selected component) of the Plone instance.

-----
#8  Plone: Open redirect in the HTTP server implementation (marmoset_patch.py, publish.py, \
principiaredirect.py)  https://bugzilla.redhat.com/show_bug.cgi?id=978471
    CWE: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

    An open redirect flaw was found in multiple components of Plone, a user friendly and \
powerful content management system. Remote attacker could provide  a specially-crafted URL that \
when visited by valid Plone user could lead the Plone user's session to be redirected to \
external site.

    Note from Matthew Wilkes: 'marmoset_patch is just a library, not sure it's worth mentioning \
here'

-----
#9  Plone: Multiple information exposure flaws via certain object methods (objectmanager.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978475
    CWE: CWE-200, Information Exposure

    Multiple information exposure flaws were found in the way object manager implementation of \
Plone, a user friendly and powerful content management system,  protected access to its \
internal methods. A remote attacker could issue a specially-crafted (URL) request that, when \
processed would lead to information exposure.

-----
#10 Plone: Authenticated users able to modify / delete portraits of other users \
(member_portrait.py)  https://bugzilla.redhat.com/show_bug.cgi?id=978478
    CWE: CWE-267: Privilege Defined With Unsafe Actions

    A security flaw (privilege defined with unsafe actions) was found in the way portrait \
handling component of Plone, a user friendly and powerful content management  system, performed \
portraits management. Remote attacker, authenticated Plone user could use this flaw to modify \
or delete portraits of other users.

-----
#11 Plone: Authenticated users able to alter their password despite of policy definition / \
setting prohibiting it (mail_password.py)  https://bugzilla.redhat.com/show_bug.cgi?id=978480
    CWE: CWE-284: Improper Access Control

    A security flaw was found in the way Plone, a user friendly and powerful content management \
system, restricted access to password change for unauthorized users.  If from policy definition \
Plone user in question was not allowed to change their password, they (previously) could still \
reset / change the password via forgotten  password email functionality.

-----
#12 Plone: DoS by decompressing large zip archives (cb_decode.py, linkintegrity.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978482
    CWE: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

    A denial of service flaw was found in the way Plone, a user friendly and powerful content \
management system, used to previously expand certain zip archives.  Remote attacker, \
authenticated Plone user could issue Zip archive expand request with specially-crafted archive \
that, when processed would lead to uncontrolled  resources consumption (denial of service).

-----
#13 Plone: Forwarding of cookie data (session hijack) in certain browsers (in_portal.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978485
    CWE: CWE-522: Insufficiently Protected Credentials

    A security flaw was found in the way Plone, a user friendly and powerful content management \
system, previously protected user's cookie data in certain situations.  A remote attacker could \
provide a specially-crafted URL that, when visited by a valid Plone user could lead to Plone \
user's cookie to be forwarded if the victim  was using certain browsers (possibility of session \
hijack).

    Note from Matthew Wilkes due this one: 'Hmm. I'd argue for CWE-601 and maybe CWE-20 too. \
It's hard to pin down.'

-----

Could you allocate CVE identifiers for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


[prev in list] [next in list] [prev in thread] [next in thread]