Re: CVE Request - PloneFormGen, multiple vulnerabilities

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/04/2013 02:54 PM, Matthew Wilkes wrote:
> Hello all,
>
> I'd like to request some CVE identifiers for the following 
> vulnerabilities, recently patched in PloneFormGen[1]
>
> Here are some descriptions of the vulnerabilities, along with the
> CVSSv2 base score we calculated, and our determination of the
> relevant CWE identifiers. We're not sure about potential merges,
> especially as there are two pairs of very similar attacks.
>
>
> # Execute arbitrary shell commands **CVSSv2 base score**: 10
>
> CWE-78 - Improper Neutralisation of Special Elements used in an OS
> Command CWE-573 - Improper Following of Specification by Caller 
> CWE-749 - Exposed dangerous method or function
>
> Passing a urlencoded shell command to a support function that is 
> accessible through the web causes that shell command to be run with
> the same privileges as the Zope server.
>
>
>
> # Set custom script body **CVSSv2 base score**: 8.2 CWE-306 -
> Missing authentication for critical resource CWE-749 - Exposed
> dangerous method or function
>
> When using a custom script action adapter, it is possible for
> anonymous users to overwrite the content of the script. This allows
> an attacker complete control over what happens to the received
> data. The script is executed within Zope's RestrictedPython
> environment, however, so it doesn't allow escape from the process
> sandbox.
>
>
>
> # Can set body of mail template on mailer object **CVSSv2 base
> score**: 7.5 CWE-863 - Incorrect authorization CWE-749 - Exposed
> dangerous method or function
>
> An unused method has a declarePublic call, allowing anyone to
> invoke it. This allows any PloneFormGen form with a mailer object
> to have the email template modified by anonymous users. As the
> template is a ZPT object it can include inline Python expressions
> evaluated in the process sandbox.
>
>
>
> # Insufficient CSRF protection on SaveData adapter allows changing
> data **CVSSv2 base score**: 6.3 CWE-352 - Cross-site request
> forgery (CSRF) CWE-749 - Exposed dangerous method or function
>
> If a privileged user is tricked into accessing an attacker
> controlled URL, it is possible to craft a request which would allow
> setting the saved data to any value, thus compromising the
> integrity of the data.
>
>
>
> # Can determine the success page without filling in form **CVSSv2
> base score**: 5 CWE-767 - Access to critical private variable via
> public method
>
> Often this is just a thank you page, however it is used by some
> users to expose access to a private URL or further logic. In this
> case it *may* provide an attacker with access to sensitive
> information.
>
>
>
> # Render body of mail template on mailer object **CVSSv2 base
> score**: 5 CWE-767 - Access to critical private variable via public
> method
>
> Like the above attack, this allows users who have not filled in a
> form to see the email they would have received if they had. It
> stacks with the set body vulnerability to allow the attacker to
> execute Python embedded in the custom template.
>
>
>
> # Run ScriptAdapter script without submitting form **CVSSv2 base
> score**: 5 (???) CWE-767 - Access to critical private variable via
> public method
>
> As above, but with the set custom script body vulnerability. The
> effect of running the script varies by deployment.
>
>
>
> # Can add spurious blank records to SaveDataAdapter **CVSSv2 base
> score**: 5 CWE-306 - Missing authentication for critical resource 
> CWE-20 - Improper input validation CWE-749 - Exposed dangerous
> method or function
>
> When using the default action adapter for saving data, it's
> possible to create blank, likely invalid records. A malicious user
> could automate this to add many invalid responses.
>
>
>
> # Can enable or disable form actions **CVSSv2 base score**: 4.3 
> CWE-306 - Missing authentication for critical resource CWE-352 -
> Cross-site request forgery
>
> If the ids of the action adapters within a form are known, it is 
> possible to disable or enable them as an anonymous user. This would
> allow an attacker to effectively disable the form, or to redirect
> input.
>
>
>
> # Vector for determining user details in XSS attacks **CVSSv2 base
> score**: 3.5 (???) CWE-352 - Cross-site request forgery CWE-359 -
> Privacy violation
>
> Multiple methods are exposed which allow determination of the
> email address, name and id of the currently authenticated member in
> custom script adapters. If an attacker were already performing a
> cross site scripting vulnerability elsewhere on the domain, these
> methods could be used to identify users and leak sensitive
> information.
>
>
>
> All but 'Insufficient CSRF protection on SaveData adapter allows 
> changing data' have official fixes; that one is unpatched.
> Disclosure of reproducers has only been to the maintainer at this
> stage, but happen more widely sometime in the next few weeks.
> Credits for all the vulnerabilities go to The Code Distillery
>
> Kurt, or whoever assigns the CVEs for this, I'm happy to provide
> more information if you need it.
>
> Thanks,
>
> Matthew Wilkes
>
> [1] - 
> http://plone.org/products/plone/security/advisories/ploneformgen-vulnerability-requires-immediate-upgrade
>
>
>
>
> ------ http://thedistillery.eu. The Code Distillery Ltd. Is
> registered in England & Wales (#7747893). Registered address
> 145-157 St John Street, London, EC1V 4PW.

Sorry thought i had replied to this. I need links to the code
commits/vuln code so I can confirm these.

To reiterate: so I can confirm CVE assignments, and prevent duplicate
assignments you *MUST* provide links to the code commits/vulnerable
code. I don't have the time to go hunting through your source code for
them. People need to start making better CVE requests, or you're not
going to get CVEs from me.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR5YTlAAoJEBYNRVNeJnmT0pIP/2LCSBkcOd/yx0L/zAUHg8hD
XV/W0VGNk+3ibM9aJjnMNLJieG2sgmzGxumEj+KmF5G7j1+cdXVEFOIxnBnfNNXJ
xjURM5ajOwat6B3uGeP9GW+qhcbxfjJ7vpPVp9AbdGDToIYovlz9+mLaTSutKpZo
VtS0yRf6F5pW1Bl7ssxtiUaja425RpgLXNNgcVeYMLBBXFldQ76QE6cPftP4daoV
cQ5NWYz7ULJyLKVAO2B7kjvQOwvQGMi5VH0x4uMXs9eVnEKQS5M4sGXTy73M9V6u
cMIpUspGZFBV2/P6Nnh9hGUHLK9L96ylAhMlkdeJJWAJhgZaEVjOsZVJR9/jM/su
+PXBoMfcgmOYcPFOWq5BONhpgvYuomdJhzdh4UojW1mPStcXV5Xz6uIpqS9UcZEV
zBoL+0o0isQZNtIKGLlJbVoB9+o3UtDHtHAXCLl4VaTxokqVkhTkJWYjNWU9/r9E
iqDlnX9D8UfuTldZRS4F/Zll2goVI8+PU622MjfaJGnsIIq1BKAPkkgyLQrCUPbG
6PiupxhyjPEf78CT+c3fAwwZgf1ARVhmz5cxKysGJuWo62MCsnoOf1Fy9buT0Pq2
uWXMuMKgUq5SyR48SoX8XT9i3S30ELhJMU63PRecBok4QdNaW1y30GQgMRgXcY0d
WFIZ5snSLeDrgos7p+vC
=h+BX
-----END PGP SIGNATURE-----