[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request: Plone Unauthorized user creation
From:       cve-assign () mitre ! org
Date:       2015-09-22 20:55:55
Message-ID: 20150922205555.6C564B2E1B1 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://plone.org/security/20150910/anonymous-is-able-to-create-plone-members
> https://github.com/zopefoundation/Products.CMFCore/commit/e1d981bfa14b664317285f0f36498f4be4a23406

> Do not make this a normal method comment. Doing so makes
> this method publishable

Use CVE-2015-7315.

We think this might be a somewhat unusual vulnerability cause. See
"Zope has few restrictions on publishable objects. The basic rule is
that the object must have a doc string. This requirement goes for
method objects too. Another requirement is that a publishable object
must not have a name that begin with an underscore. These two
restrictions are designed to keep private objects from being
published." on the
http://docs.zope.org/zope2/zdgbook/ObjectPublishing.html page.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWAb1rAAoJEL54rhJi8gl5Xo8P/2tgKny5vcnr67hC8RE/AZSU
ploRmUwqRpqDS2TJzhMK5ZtKBkNHu2paS88xFM342qL8CFzAsXC8RS8YT/UKWF/9
tvLwkH0SPkksaYSRonrHH/b6dkV1rt+eEKEGA7h56Xo3fnJZE9aq5wDLQQ8hFbUs
UxErOnG4T+oDMoW+K0ZPNU3D1sOupcvZ2IOcCBSO5req8cLx6u8pKB/yjn3Q7cw+
bf093qnzfyQgKkw1buq4TfkffHfO+StkpnBwPuqV4JwgsM5OAyN5haqiZjJewt29
bni0N2maU3krq5uYC4YwYfiUIiBY05ZDQ9II+4iX89fmozJB5fdUbqqTOmQjZX2i
99CmRWzOezYzd9Uz4oDFLzqAlNR9xegkzI8UfjMG0mZsK8/KsAyvOwfQeChgUT38
9bPAw5ghvY3M5MxghyjZueeWdawT7/A9b5xZvY25dxDSx5bseNfRkrh0/DeAE84i
Xje9tZgpjwaWZ078hOqIJ4n5bmxoqOKGmH2JO6baucz6VEy5l6bv9NKcJ424rYbD
piwdyLUBTK/ugUe+qotV783LVkE9vrmykWpJMtHHGRkaH8lP+PKBgpNjbiF5D7jJ
LxZti2Rj2s+gkbIHgGoDd8P/C50lnzl00XH2NHQqFmbfz2afLF6VLPv0Dp7NngVL
uCaG/GraegoAXNKsWjDV
=6/gi
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]