oss-sec mailing list archives
Re: CVE Request -- Plone: 20130618 Hotfix (multiple vectors)
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 01 Aug 2013 00:00:29 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/31/2013 10:57 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, Mitre CVE assignment team, vendors, based on: [1] http://plone.org/products/plone/security/advisories/20130618-announcement and further cooperation with Plone Security Team (many thanks to Matthew Wilkes for issues review and comments) the [1] issues description is as follows (the *.py scripts in the summary correspond to files from Plone 20130618 Hotfix that would be applicable to correct that specific issue. See also Notes for particular cases though):
Top posting because I am lazy: CVE-2013-4188 Plone: DoS (infinite loop) by administrator privilege users when retrieving information for certain resources (traverser.py) CVE-2013-4189 Plone: Privilege escalation due improper authorization (dataitems.py, get.py, traverseName.py) CVE-2013-4190 Plone: Multiple cross-site scripting (XSS) flaws (spamProtect.py, pts.py, request.py) CVE-2013-4191 Plone: Information exposure due improper access control enforcement when generating zip archives (zip.py) CVE-2013-4192 Plone: Ability to spoof emails (sendto.py) CVE-2013-4193 Plone: Anonymous users capable to hide certain fields from content edit forms (typeswidget.py) CVE-2013-4194 Plone: File system path exposure (wysiwyg.py) CVE-2013-4195 Plone: Open redirect in the HTTP server implementation (marmoset_patch.py, publish.py, principiaredirect.py) CVE-2013-4196 Plone: Multiple information exposure flaws via certain object methods (objectmanager.py) CVE-2013-4197 Plone: Authenticated users able to modify / delete portraits of other users (member_portrait.py) CVE-2013-4198 Plone: Authenticated users able to alter their password despite of policy definition / setting prohibiting it (mail_password.py) CVE-2013-4199 Plone: DoS by decompressing large zip archives (cb_decode.py, linkintegrity.py) CVE-2013-4200 Plone: Forwarding of cookie data (session hijack) in certain browsers (in_portal.py)
------ #1 Plone: DoS (infinite loop) by administrator privilege users when retrieving information for certain resources (traverser.py) https://bugzilla.redhat.com/show_bug.cgi?id=978449 CWE: CWE-835 A denial of service flaw was found in the way Plone, a user friendly and powerful content management system, performed particular resource related information retrieval in certain cases (request interaction with internal traversal machinery). A remote attacker, having administrator privilege to certain subset of Plone action screens / functionality, could use this flaw to cause uncontrolled resource consumption (infinite loop) by issuing a specially-crafted request. ----- #2 Plone: Privilege escalation due improper authorization (dataitems.py, get.py, traverseName.py) https://bugzilla.redhat.com/show_bug.cgi?id=978450 CWE: CWE-285 A privilege escalation flaw was found in the way Plone, a user friendly and powerful content management system, enforced authorization for users having administrator privilege access for a subtree of a particular node (access to node above that subtree was granted even when the user in question has had administrator privilege only for a subtree of that node). A remote attacker, with administrator user privilege to certain subtree of Plone actions / functionality, could use this flaw to access / alter also higher nodes. ----- #3 Plone: Multiple cross-site scripting (XSS) flaws (spamProtect.py, pts.py, request.py) https://bugzilla.redhat.com/show_bug.cgi?id=978451 CWE: CWE-79 Multiple cross-site scripting (XSS) flaws were found in the way Plone, a user friendly and powerful content management system, performed sanitization of user provided input in web forms. A remote attacker could provide a specially-crafted URL that, when visited by authenticated Plone user could lead to arbitrary HTML or web script execution in the context of Plone user's session. ----- #4 Plone: Information exposure due improper access control enforcement when generating zip archives (zip.py) https://bugzilla.redhat.com/show_bug.cgi?id=978453 CWE: CWE-200, Information Exposure CWE-284: Improper Access Control CWE-285: Improper Authorization An information exposure flaw was found in the way zip archives generation functionality of Plone, a user friendly and powerful content management system, enforced user access control privileges on the content to be included into the archive. A remote attacker could use this flaw to obtain sensitive information (by generating a zip archive from content they would not be otherwise able to access). ----- #5 Plone: Ability to spoof emails (sendto.py) https://bugzilla.redhat.com/show_bug.cgi?id=978464 CWE: CWE-749 A security flaw was found in the way Plone, a user friendly and powerful content management system, performed certain provided data validation when sending emails. A remote attacker, valid Plone user, could use this flaw to conduct email spoofing attacks. ----- #6 Plone: Anonymous users capable to hide certain fields from content edit forms (typeswidget.py) https://bugzilla.redhat.com/show_bug.cgi?id=978469 CWE: CWE-302: Authentication Bypass by Assumed-Immutable Data A security flaw was found in the way Plone, a user friendly and powerful content management system, enforced immutable setting on certain content edit forms. A remote attacker could use this flaw to provide a specially-crafted URL that would (in a non-persistent way) hide certain fields from these content edit forms, possibly leading to scenario such altered forms to be erroneously accepted by authenticated Plone user as valid. ----- #7 Plone: File system path exposure (wysiwyg.py) https://bugzilla.redhat.com/show_bug.cgi?id=978470 CWE: CWE-209: Information Exposure Through an Error Message A file system path exposure flaw was found in the way Plone, a user friendly and powerful content management system, used to present certain error messages in the wysiwyg component. A remote attacker could provide a specially-crafted URL that, when processed would lead to exposure of file system path (for the selected component) of the Plone instance. ----- #8 Plone: Open redirect in the HTTP server implementation (marmoset_patch.py, publish.py, principiaredirect.py) https://bugzilla.redhat.com/show_bug.cgi?id=978471 CWE: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') An open redirect flaw was found in multiple components of Plone, a user friendly and powerful content management system. Remote attacker could provide a specially-crafted URL that when visited by valid Plone user could lead the Plone user's session to be redirected to external site. Note from Matthew Wilkes: 'marmoset_patch is just a library, not sure it's worth mentioning here' ----- #9 Plone: Multiple information exposure flaws via certain object methods (objectmanager.py) https://bugzilla.redhat.com/show_bug.cgi?id=978475 CWE: CWE-200, Information Exposure Multiple information exposure flaws were found in the way object manager implementation of Plone, a user friendly and powerful content management system, protected access to its internal methods. A remote attacker could issue a specially-crafted (URL) request that, when processed would lead to information exposure. ----- #10 Plone: Authenticated users able to modify / delete portraits of other users (member_portrait.py) https://bugzilla.redhat.com/show_bug.cgi?id=978478 CWE: CWE-267: Privilege Defined With Unsafe Actions A security flaw (privilege defined with unsafe actions) was found in the way portrait handling component of Plone, a user friendly and powerful content management system, performed portraits management. Remote attacker, authenticated Plone user could use this flaw to modify or delete portraits of other users. ----- #11 Plone: Authenticated users able to alter their password despite of policy definition / setting prohibiting it (mail_password.py) https://bugzilla.redhat.com/show_bug.cgi?id=978480 CWE: CWE-284: Improper Access Control A security flaw was found in the way Plone, a user friendly and powerful content management system, restricted access to password change for unauthorized users. If from policy definition Plone user in question was not allowed to change their password, they (previously) could still reset / change the password via forgotten password email functionality. ----- #12 Plone: DoS by decompressing large zip archives (cb_decode.py, linkintegrity.py) https://bugzilla.redhat.com/show_bug.cgi?id=978482 CWE: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') A denial of service flaw was found in the way Plone, a user friendly and powerful content management system, used to previously expand certain zip archives. Remote attacker, authenticated Plone user could issue Zip archive expand request with specially-crafted archive that, when processed would lead to uncontrolled resources consumption (denial of service). ----- #13 Plone: Forwarding of cookie data (session hijack) in certain browsers (in_portal.py) https://bugzilla.redhat.com/show_bug.cgi?id=978485 CWE: CWE-522: Insufficiently Protected Credentials A security flaw was found in the way Plone, a user friendly and powerful content management system, previously protected user's cookie data in certain situations. A remote attacker could provide a specially-crafted URL that, when visited by a valid Plone user could lead to Plone user's cookie to be forwarded if the victim was using certain browsers (possibility of session hijack). Note from Matthew Wilkes due this one: 'Hmm. I'd argue for CWE-601 and maybe CWE-20 too. It's hard to pin down.' ----- Could you allocate CVE identifiers for these? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR+fl9AAoJEBYNRVNeJnmT/MkQAIYebwWvV3zpuRmeFjaiJS+Q E3dfQsBHqtBsOa8WyDiIluwawtn6BY+tWBhzeqXh3nlClATdR4VTOiK/CyCPP2w5 Gs47/Z+cesM0MiGw1ZPv2d3nIkNg2UCwWkDAf2fFqYtpeXOteZ2O+Rnt9dMP+0mi aNOTxFfKX9HHnvGaxpvOQN8r/6mAZR3m5gcsmH51Gx73kk48bCx5c2dX1NnIxd0w N+ZFZnyYSD/MM7xfhvI+DcM4B7/mLPXpi8bh73H5RCRFbCC3emtOpLDGNMw7js/g 1Zh9XoKc8HZg9TUzkS0vBrKSvZz5wLyClDSG/f4u8sGl7kfoCiLs1A9boKUeaYCO 8psDjc2MW6GRQQEGK68DoJymINd0WPj4n/B6TUG08qB4zU6Lh1p4BIGzVRQ9CmRI AwrDbo1HhxfeVD1AQGAfT8Jn5t7YlVJyls6KN6t+EKKzao8TmvZ7IcN0I6yOaONs X3Ry2TP5bFty3T3V+me8gDGmIqk0CnZCrGRt7IN5a0DzHoC5+pv3W1jhbGGgX8E8 Cm2pEUkO/C7E960UQOZEGe63ZRMF/4uOUiiuAV9hW1i6KEsR9EV8csm1T4UjCOXD QxAKF0s1W8f6NAtck8rS0+puWxU9G36T3KeimsA0NtIQgp8qqyQ+NXb8819ID6G7 2jZYig/n7yw7n9zQXJxf =fgV0 -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- Plone: 20130618 Hotfix (multiple vectors) Jan Lieskovsky (Jul 31)
- Re: CVE Request -- Plone: 20130618 Hotfix (multiple vectors) Kurt Seifried (Jul 31)