Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE Request - PloneFormGen, multiple vulnerabilities
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 16 Jul 2013 11:37:41 -0600

Hash: SHA1

On 07/04/2013 02:54 PM, Matthew Wilkes wrote:
Hello all,

I'd like to request some CVE identifiers for the following 
vulnerabilities, recently patched in PloneFormGen[1]

Here are some descriptions of the vulnerabilities, along with the
CVSSv2 base score we calculated, and our determination of the
relevant CWE identifiers. We're not sure about potential merges,
especially as there are two pairs of very similar attacks.

# Execute arbitrary shell commands **CVSSv2 base score**: 10

CWE-78 - Improper Neutralisation of Special Elements used in an OS
Command CWE-573 - Improper Following of Specification by Caller 
CWE-749 - Exposed dangerous method or function

Passing a urlencoded shell command to a support function that is 
accessible through the web causes that shell command to be run with
the same privileges as the Zope server.

# Set custom script body **CVSSv2 base score**: 8.2 CWE-306 -
Missing authentication for critical resource CWE-749 - Exposed
dangerous method or function

When using a custom script action adapter, it is possible for
anonymous users to overwrite the content of the script. This allows
an attacker complete control over what happens to the received
data. The script is executed within Zope's RestrictedPython
environment, however, so it doesn't allow escape from the process

# Can set body of mail template on mailer object **CVSSv2 base
score**: 7.5 CWE-863 - Incorrect authorization CWE-749 - Exposed
dangerous method or function

An unused method has a declarePublic call, allowing anyone to
invoke it. This allows any PloneFormGen form with a mailer object
to have the email template modified by anonymous users. As the
template is a ZPT object it can include inline Python expressions
evaluated in the process sandbox.

# Insufficient CSRF protection on SaveData adapter allows changing
data **CVSSv2 base score**: 6.3 CWE-352 - Cross-site request
forgery (CSRF) CWE-749 - Exposed dangerous method or function

If a privileged user is tricked into accessing an attacker
controlled URL, it is possible to craft a request which would allow
setting the saved data to any value, thus compromising the
integrity of the data.

# Can determine the success page without filling in form **CVSSv2
base score**: 5 CWE-767 - Access to critical private variable via
public method

Often this is just a thank you page, however it is used by some
users to expose access to a private URL or further logic. In this
case it *may* provide an attacker with access to sensitive

# Render body of mail template on mailer object **CVSSv2 base
score**: 5 CWE-767 - Access to critical private variable via public

Like the above attack, this allows users who have not filled in a
form to see the email they would have received if they had. It
stacks with the set body vulnerability to allow the attacker to
execute Python embedded in the custom template.

# Run ScriptAdapter script without submitting form **CVSSv2 base
score**: 5 (???) CWE-767 - Access to critical private variable via
public method

As above, but with the set custom script body vulnerability. The
effect of running the script varies by deployment.

# Can add spurious blank records to SaveDataAdapter **CVSSv2 base
score**: 5 CWE-306 - Missing authentication for critical resource 
CWE-20 - Improper input validation CWE-749 - Exposed dangerous
method or function

When using the default action adapter for saving data, it's
possible to create blank, likely invalid records. A malicious user
could automate this to add many invalid responses.

# Can enable or disable form actions **CVSSv2 base score**: 4.3 
CWE-306 - Missing authentication for critical resource CWE-352 -
Cross-site request forgery

If the ids of the action adapters within a form are known, it is 
possible to disable or enable them as an anonymous user. This would
allow an attacker to effectively disable the form, or to redirect

# Vector for determining user details in XSS attacks **CVSSv2 base
score**: 3.5 (???) CWE-352 - Cross-site request forgery CWE-359 -
Privacy violation

Multiple methods are exposed which allow determination of the
email address, name and id of the currently authenticated member in
custom script adapters. If an attacker were already performing a
cross site scripting vulnerability elsewhere on the domain, these
methods could be used to identify users and leak sensitive

All but 'Insufficient CSRF protection on SaveData adapter allows 
changing data' have official fixes; that one is unpatched.
Disclosure of reproducers has only been to the maintainer at this
stage, but happen more widely sometime in the next few weeks.
Credits for all the vulnerabilities go to The Code Distillery

Kurt, or whoever assigns the CVEs for this, I'm happy to provide
more information if you need it.


Matthew Wilkes

[1] - 

------ http://thedistillery.eu. The Code Distillery Ltd. Is
registered in England & Wales (#7747893). Registered address
145-157 St John Street, London, EC1V 4PW.

Sorry thought i had replied to this. I need links to the code
commits/vuln code so I can confirm these.

To reiterate: so I can confirm CVE assignments, and prevent duplicate
assignments you *MUST* provide links to the code commits/vulnerable
code. I don't have the time to go hunting through your source code for
them. People need to start making better CVE requests, or you're not
going to get CVEs from me.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.13 (GNU/Linux)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]