[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE Request -- Plone: 20130618 Hotfix (multiple vectors)
From: Jan Lieskovsky <jlieskov () redhat ! com>
Date: 2013-07-31 16:57:55
Message-ID: 2133092372.9599549.1375289875077.JavaMail.root () redhat ! com
[Download RAW message or body]
Hello Kurt, Steve, Mitre CVE assignment team, vendors,
based on:
[1] http://plone.org/products/plone/security/advisories/20130618-announcement
and further cooperation with Plone Security Team (many thanks to Matthew Wilkes
for issues review and comments) the [1] issues description is as follows (the *.py
scripts in the summary correspond to files from Plone 20130618 Hotfix that would
be applicable to correct that specific issue. See also Notes for particular cases though):
------
#1 Plone: DoS (infinite loop) by administrator privilege users when retrieving information for \
certain resources (traverser.py) https://bugzilla.redhat.com/show_bug.cgi?id=978449
CWE: CWE-835
A denial of service flaw was found in the way Plone, a user friendly and powerful content \
management system, performed particular resource related information retrieval in certain \
cases (request interaction with internal traversal machinery). A remote attacker, having \
administrator privilege to certain subset of Plone action screens / functionality, could use \
this flaw to cause uncontrolled resource consumption (infinite loop) by issuing a \
specially-crafted request.
-----
#2 Plone: Privilege escalation due improper authorization (dataitems.py, get.py, \
traverseName.py) https://bugzilla.redhat.com/show_bug.cgi?id=978450
CWE: CWE-285
A privilege escalation flaw was found in the way Plone, a user friendly and powerful \
content management system, enforced authorization for users having administrator privilege \
access for a subtree of a particular node (access to node above that subtree was granted even \
when the user in question has had administrator privilege only for a subtree of that node). A \
remote attacker, with administrator user privilege to certain subtree of Plone actions / \
functionality, could use this flaw to access / alter also higher nodes.
-----
#3 Plone: Multiple cross-site scripting (XSS) flaws (spamProtect.py, pts.py, request.py)
https://bugzilla.redhat.com/show_bug.cgi?id=978451
CWE: CWE-79
Multiple cross-site scripting (XSS) flaws were found in the way Plone, a user friendly and \
powerful content management system, performed sanitization of user provided input in web \
forms. A remote attacker could provide a specially-crafted URL that, when visited by \
authenticated Plone user could lead to arbitrary HTML or web script execution in the context \
of Plone user's session.
-----
#4 Plone: Information exposure due improper access control enforcement when generating zip \
archives (zip.py) https://bugzilla.redhat.com/show_bug.cgi?id=978453
CWE: CWE-200, Information Exposure
CWE-284: Improper Access Control
CWE-285: Improper Authorization
An information exposure flaw was found in the way zip archives generation functionality of \
Plone, a user friendly and powerful content management system, enforced user access control \
privileges on the content to be included into the archive. A remote attacker could use this \
flaw to obtain sensitive information (by generating a zip archive from content they would not \
be otherwise able to access).
-----
#5 Plone: Ability to spoof emails (sendto.py)
https://bugzilla.redhat.com/show_bug.cgi?id=978464
CWE: CWE-749
A security flaw was found in the way Plone, a user friendly and powerful content management \
system, performed certain provided data validation when sending emails. A remote attacker, \
valid Plone user, could use this flaw to conduct email spoofing attacks.
-----
#6 Plone: Anonymous users capable to hide certain fields from content edit forms \
(typeswidget.py) https://bugzilla.redhat.com/show_bug.cgi?id=978469
CWE: CWE-302: Authentication Bypass by Assumed-Immutable Data
A security flaw was found in the way Plone, a user friendly and powerful content management \
system, enforced immutable setting on certain content edit forms. A remote attacker could use \
this flaw to provide a specially-crafted URL that would (in a non-persistent way) hide certain \
fields from these content edit forms, possibly leading to scenario such altered forms to be \
erroneously accepted by authenticated Plone user as valid.
-----
#7 Plone: File system path exposure (wysiwyg.py)
https://bugzilla.redhat.com/show_bug.cgi?id=978470
CWE: CWE-209: Information Exposure Through an Error Message
A file system path exposure flaw was found in the way Plone, a user friendly and powerful \
content management system, used to present certain error messages in the wysiwyg component. A \
remote attacker could provide a specially-crafted URL that, when processed would lead to \
exposure of file system path (for the selected component) of the Plone instance.
-----
#8 Plone: Open redirect in the HTTP server implementation (marmoset_patch.py, publish.py, \
principiaredirect.py) https://bugzilla.redhat.com/show_bug.cgi?id=978471
CWE: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
An open redirect flaw was found in multiple components of Plone, a user friendly and \
powerful content management system. Remote attacker could provide a specially-crafted URL that \
when visited by valid Plone user could lead the Plone user's session to be redirected to \
external site.
Note from Matthew Wilkes: 'marmoset_patch is just a library, not sure it's worth mentioning \
here'
-----
#9 Plone: Multiple information exposure flaws via certain object methods (objectmanager.py)
https://bugzilla.redhat.com/show_bug.cgi?id=978475
CWE: CWE-200, Information Exposure
Multiple information exposure flaws were found in the way object manager implementation of \
Plone, a user friendly and powerful content management system, protected access to its \
internal methods. A remote attacker could issue a specially-crafted (URL) request that, when \
processed would lead to information exposure.
-----
#10 Plone: Authenticated users able to modify / delete portraits of other users \
(member_portrait.py) https://bugzilla.redhat.com/show_bug.cgi?id=978478
CWE: CWE-267: Privilege Defined With Unsafe Actions
A security flaw (privilege defined with unsafe actions) was found in the way portrait \
handling component of Plone, a user friendly and powerful content management system, performed \
portraits management. Remote attacker, authenticated Plone user could use this flaw to modify \
or delete portraits of other users.
-----
#11 Plone: Authenticated users able to alter their password despite of policy definition / \
setting prohibiting it (mail_password.py) https://bugzilla.redhat.com/show_bug.cgi?id=978480
CWE: CWE-284: Improper Access Control
A security flaw was found in the way Plone, a user friendly and powerful content management \
system, restricted access to password change for unauthorized users. If from policy definition \
Plone user in question was not allowed to change their password, they (previously) could still \
reset / change the password via forgotten password email functionality.
-----
#12 Plone: DoS by decompressing large zip archives (cb_decode.py, linkintegrity.py)
https://bugzilla.redhat.com/show_bug.cgi?id=978482
CWE: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
A denial of service flaw was found in the way Plone, a user friendly and powerful content \
management system, used to previously expand certain zip archives. Remote attacker, \
authenticated Plone user could issue Zip archive expand request with specially-crafted archive \
that, when processed would lead to uncontrolled resources consumption (denial of service).
-----
#13 Plone: Forwarding of cookie data (session hijack) in certain browsers (in_portal.py)
https://bugzilla.redhat.com/show_bug.cgi?id=978485
CWE: CWE-522: Insufficiently Protected Credentials
A security flaw was found in the way Plone, a user friendly and powerful content management \
system, previously protected user's cookie data in certain situations. A remote attacker could \
provide a specially-crafted URL that, when visited by a valid Plone user could lead to Plone \
user's cookie to be forwarded if the victim was using certain browsers (possibility of session \
hijack).
Note from Matthew Wilkes due this one: 'Hmm. I'd argue for CWE-601 and maybe CWE-20 too. \
It's hard to pin down.'
-----
Could you allocate CVE identifiers for these?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic