Re: CVE Request -- Plone: 20130618 Hotfix (multiple vectors)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/31/2013 10:57 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, Mitre CVE assignment team, vendors,
>
> based on: [1]
> http://plone.org/products/plone/security/advisories/20130618-announcement
>
>  and further cooperation with Plone Security Team (many thanks to
> Matthew Wilkes for issues review and comments) the [1] issues
> description is as follows (the *.py scripts in the summary
> correspond to files from Plone 20130618 Hotfix that would be
> applicable to correct that specific issue. See also Notes for
> particular cases though):


Top posting because I am lazy:

CVE-2013-4188 Plone: DoS (infinite loop) by administrator privilege
users when retrieving information for certain resources (traverser.py)

CVE-2013-4189 Plone: Privilege escalation due improper authorization
(dataitems.py, get.py, traverseName.py)

CVE-2013-4190 Plone: Multiple cross-site scripting (XSS) flaws
(spamProtect.py, pts.py, request.py)

CVE-2013-4191 Plone: Information exposure due improper access control
enforcement when generating zip archives (zip.py)

CVE-2013-4192 Plone: Ability to spoof emails (sendto.py)

CVE-2013-4193 Plone: Anonymous users capable to hide certain fields
from content edit forms (typeswidget.py)

CVE-2013-4194 Plone: File system path exposure (wysiwyg.py)

CVE-2013-4195 Plone: Open redirect in the HTTP server implementation
(marmoset_patch.py, publish.py, principiaredirect.py)

CVE-2013-4196 Plone: Multiple information exposure flaws via certain
object methods (objectmanager.py)

CVE-2013-4197 Plone: Authenticated users able to modify / delete
portraits of other users (member_portrait.py)

CVE-2013-4198 Plone: Authenticated users able to alter their password
despite of policy definition / setting prohibiting it (mail_password.py)

CVE-2013-4199 Plone: DoS by decompressing large zip archives
(cb_decode.py, linkintegrity.py)

CVE-2013-4200 Plone: Forwarding of cookie data (session hijack) in
certain browsers (in_portal.py)

> ------ #1  Plone: DoS (infinite loop) by administrator privilege
> users when retrieving information for certain resources
> (traverser.py) https://bugzilla.redhat.com/show_bug.cgi?id=978449 
> CWE: CWE-835
>
> A denial of service flaw was found in the way Plone, a user
> friendly and powerful content management system, performed
> particular resource related information retrieval in certain cases
> (request interaction with internal traversal machinery). A remote
> attacker, having administrator privilege to certain subset of
> Plone action screens / functionality, could use this flaw to cause
> uncontrolled resource consumption (infinite loop) by issuing a
> specially-crafted request.
>
> ----- #2  Plone: Privilege escalation due improper authorization
> (dataitems.py, get.py, traverseName.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978450 CWE: CWE-285
>
> A privilege escalation flaw was found in the way Plone, a user
> friendly and powerful content management system, enforced
> authorization for users having administrator privilege access for a
> subtree of a particular node (access to node above that subtree was
> granted even when the user in question has had administrator
> privilege only for a subtree of that node). A remote attacker, with
> administrator user privilege to certain subtree of Plone actions / 
> functionality, could use this flaw to access / alter also higher
> nodes.
>
> ----- #3  Plone: Multiple cross-site scripting (XSS) flaws
> (spamProtect.py, pts.py, request.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978451 CWE: CWE-79
>
> Multiple cross-site scripting (XSS) flaws were found in the way
> Plone, a user friendly and powerful content management system,
> performed sanitization of user provided input in web forms. A
> remote attacker could provide a specially-crafted URL that, when
> visited by authenticated Plone user could lead to arbitrary HTML or
> web script execution in the context of Plone user's session.
>
> ----- #4  Plone: Information exposure due improper access control
> enforcement when generating zip archives (zip.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978453 CWE: CWE-200,
> Information Exposure CWE-284: Improper Access Control CWE-285:
> Improper Authorization
>
> An information exposure flaw was found in the way zip archives
> generation functionality of Plone, a user friendly and powerful
> content management system, enforced user access control privileges
> on the content to be included into the archive. A remote attacker
> could use this flaw to obtain sensitive information (by generating
> a zip archive from content they would not be otherwise able to
> access).
>
> ----- #5  Plone: Ability to spoof emails (sendto.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978464 CWE: CWE-749
>
> A security flaw was found in the way Plone, a user friendly and
> powerful content management system, performed certain provided data
> validation when sending emails. A remote attacker, valid Plone
> user, could use this flaw to conduct email spoofing attacks.
>
> ----- #6  Plone: Anonymous users capable to hide certain fields
> from content edit forms (typeswidget.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978469 CWE: CWE-302:
> Authentication Bypass by Assumed-Immutable Data
>
> A security flaw was found in the way Plone, a user friendly and
> powerful content management system, enforced immutable setting on
> certain content edit forms. A remote attacker could use this flaw
> to provide a specially-crafted URL that would (in a non-persistent
> way) hide certain fields from these content edit forms, possibly
> leading to scenario such altered forms to be erroneously accepted
> by authenticated Plone user as valid.
>
> ----- #7  Plone: File system path exposure (wysiwyg.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978470 CWE: CWE-209:
> Information Exposure Through an Error Message
>
> A file system path exposure flaw was found in the way Plone, a user
> friendly and powerful content management system, used to present
> certain error messages in the wysiwyg component. A remote attacker
> could provide a specially-crafted URL that, when processed would
> lead to exposure of file system path (for the selected component)
> of the Plone instance.
>
> ----- #8  Plone: Open redirect in the HTTP server implementation
> (marmoset_patch.py, publish.py, principiaredirect.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978471 CWE: CWE-601:
> URL Redirection to Untrusted Site ('Open Redirect')
>
> An open redirect flaw was found in multiple components of Plone, a
> user friendly and powerful content management system. Remote
> attacker could provide a specially-crafted URL that when visited by
> valid Plone user could lead the Plone user's session to be
> redirected to external site.
>
> Note from Matthew Wilkes: 'marmoset_patch is just a library, not
> sure it's worth mentioning here'
>
> ----- #9  Plone: Multiple information exposure flaws via certain
> object methods (objectmanager.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978475 CWE: CWE-200,
> Information Exposure
>
> Multiple information exposure flaws were found in the way object
> manager implementation of Plone, a user friendly and powerful
> content management system, protected access to its internal
> methods. A remote attacker could issue a specially-crafted (URL)
> request that, when processed would lead to information exposure.
>
> ----- #10 Plone: Authenticated users able to modify / delete
> portraits of other users (member_portrait.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978478 CWE: CWE-267:
> Privilege Defined With Unsafe Actions
>
> A security flaw (privilege defined with unsafe actions) was found
> in the way portrait handling component of Plone, a user friendly
> and powerful content management system, performed portraits
> management. Remote attacker, authenticated Plone user could use
> this flaw to modify or delete portraits of other users.
>
> ----- #11 Plone: Authenticated users able to alter their password
> despite of policy definition / setting prohibiting it
> (mail_password.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978480 CWE: CWE-284:
> Improper Access Control
>
> A security flaw was found in the way Plone, a user friendly and
> powerful content management system, restricted access to password
> change for unauthorized users. If from policy definition Plone user
> in question was not allowed to change their password, they
> (previously) could still reset / change the password via forgotten 
> password email functionality.
>
> ----- #12 Plone: DoS by decompressing large zip archives
> (cb_decode.py, linkintegrity.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978482 CWE: CWE-400:
> Uncontrolled Resource Consumption ('Resource Exhaustion')
>
> A denial of service flaw was found in the way Plone, a user
> friendly and powerful content management system, used to previously
> expand certain zip archives. Remote attacker, authenticated Plone
> user could issue Zip archive expand request with specially-crafted
> archive that, when processed would lead to uncontrolled resources
> consumption (denial of service).
>
> ----- #13 Plone: Forwarding of cookie data (session hijack) in
> certain browsers (in_portal.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978485 CWE: CWE-522:
> Insufficiently Protected Credentials
>
> A security flaw was found in the way Plone, a user friendly and
> powerful content management system, previously protected user's
> cookie data in certain situations. A remote attacker could provide
> a specially-crafted URL that, when visited by a valid Plone user
> could lead to Plone user's cookie to be forwarded if the victim was
> using certain browsers (possibility of session hijack).
>
> Note from Matthew Wilkes due this one: 'Hmm. I'd argue for CWE-601
> and maybe CWE-20 too. It's hard to pin down.'
>
> -----
>
> Could you allocate CVE identifiers for these?
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR+fl9AAoJEBYNRVNeJnmT/MkQAIYebwWvV3zpuRmeFjaiJS+Q
E3dfQsBHqtBsOa8WyDiIluwawtn6BY+tWBhzeqXh3nlClATdR4VTOiK/CyCPP2w5
Gs47/Z+cesM0MiGw1ZPv2d3nIkNg2UCwWkDAf2fFqYtpeXOteZ2O+Rnt9dMP+0mi
aNOTxFfKX9HHnvGaxpvOQN8r/6mAZR3m5gcsmH51Gx73kk48bCx5c2dX1NnIxd0w
N+ZFZnyYSD/MM7xfhvI+DcM4B7/mLPXpi8bh73H5RCRFbCC3emtOpLDGNMw7js/g
1Zh9XoKc8HZg9TUzkS0vBrKSvZz5wLyClDSG/f4u8sGl7kfoCiLs1A9boKUeaYCO
8psDjc2MW6GRQQEGK68DoJymINd0WPj4n/B6TUG08qB4zU6Lh1p4BIGzVRQ9CmRI
AwrDbo1HhxfeVD1AQGAfT8Jn5t7YlVJyls6KN6t+EKKzao8TmvZ7IcN0I6yOaONs
X3Ry2TP5bFty3T3V+me8gDGmIqk0CnZCrGRt7IN5a0DzHoC5+pv3W1jhbGGgX8E8
Cm2pEUkO/C7E960UQOZEGe63ZRMF/4uOUiiuAV9hW1i6KEsR9EV8csm1T4UjCOXD
QxAKF0s1W8f6NAtck8rS0+puWxU9G36T3KeimsA0NtIQgp8qqyQ+NXb8819ID6G7
2jZYig/n7yw7n9zQXJxf
=fgV0
-----END PGP SIGNATURE-----