Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- Plone: 20130618 Hotfix (multiple vectors)
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 01 Aug 2013 00:00:29 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/31/2013 10:57 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, Mitre CVE assignment team, vendors,

based on: [1]
http://plone.org/products/plone/security/advisories/20130618-announcement

 and further cooperation with Plone Security Team (many thanks to
Matthew Wilkes for issues review and comments) the [1] issues
description is as follows (the *.py scripts in the summary
correspond to files from Plone 20130618 Hotfix that would be
applicable to correct that specific issue. See also Notes for
particular cases though):


Top posting because I am lazy:

CVE-2013-4188 Plone: DoS (infinite loop) by administrator privilege
users when retrieving information for certain resources (traverser.py)

CVE-2013-4189 Plone: Privilege escalation due improper authorization
(dataitems.py, get.py, traverseName.py)

CVE-2013-4190 Plone: Multiple cross-site scripting (XSS) flaws
(spamProtect.py, pts.py, request.py)

CVE-2013-4191 Plone: Information exposure due improper access control
enforcement when generating zip archives (zip.py)

CVE-2013-4192 Plone: Ability to spoof emails (sendto.py)

CVE-2013-4193 Plone: Anonymous users capable to hide certain fields
from content edit forms (typeswidget.py)

CVE-2013-4194 Plone: File system path exposure (wysiwyg.py)

CVE-2013-4195 Plone: Open redirect in the HTTP server implementation
(marmoset_patch.py, publish.py, principiaredirect.py)

CVE-2013-4196 Plone: Multiple information exposure flaws via certain
object methods (objectmanager.py)

CVE-2013-4197 Plone: Authenticated users able to modify / delete
portraits of other users (member_portrait.py)

CVE-2013-4198 Plone: Authenticated users able to alter their password
despite of policy definition / setting prohibiting it (mail_password.py)

CVE-2013-4199 Plone: DoS by decompressing large zip archives
(cb_decode.py, linkintegrity.py)

CVE-2013-4200 Plone: Forwarding of cookie data (session hijack) in
certain browsers (in_portal.py)

------ #1  Plone: DoS (infinite loop) by administrator privilege
users when retrieving information for certain resources
(traverser.py) https://bugzilla.redhat.com/show_bug.cgi?id=978449 
CWE: CWE-835

A denial of service flaw was found in the way Plone, a user
friendly and powerful content management system, performed
particular resource related information retrieval in certain cases
(request interaction with internal traversal machinery). A remote
attacker, having administrator privilege to certain subset of
Plone action screens / functionality, could use this flaw to cause
uncontrolled resource consumption (infinite loop) by issuing a
specially-crafted request.

----- #2  Plone: Privilege escalation due improper authorization
(dataitems.py, get.py, traverseName.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978450 CWE: CWE-285

A privilege escalation flaw was found in the way Plone, a user
friendly and powerful content management system, enforced
authorization for users having administrator privilege access for a
subtree of a particular node (access to node above that subtree was
granted even when the user in question has had administrator
privilege only for a subtree of that node). A remote attacker, with
administrator user privilege to certain subtree of Plone actions / 
functionality, could use this flaw to access / alter also higher
nodes.

----- #3  Plone: Multiple cross-site scripting (XSS) flaws
(spamProtect.py, pts.py, request.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978451 CWE: CWE-79

Multiple cross-site scripting (XSS) flaws were found in the way
Plone, a user friendly and powerful content management system,
performed sanitization of user provided input in web forms. A
remote attacker could provide a specially-crafted URL that, when
visited by authenticated Plone user could lead to arbitrary HTML or
web script execution in the context of Plone user's session.

----- #4  Plone: Information exposure due improper access control
enforcement when generating zip archives (zip.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978453 CWE: CWE-200,
Information Exposure CWE-284: Improper Access Control CWE-285:
Improper Authorization

An information exposure flaw was found in the way zip archives
generation functionality of Plone, a user friendly and powerful
content management system, enforced user access control privileges
on the content to be included into the archive. A remote attacker
could use this flaw to obtain sensitive information (by generating
a zip archive from content they would not be otherwise able to
access).

----- #5  Plone: Ability to spoof emails (sendto.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978464 CWE: CWE-749

A security flaw was found in the way Plone, a user friendly and
powerful content management system, performed certain provided data
validation when sending emails. A remote attacker, valid Plone
user, could use this flaw to conduct email spoofing attacks.

----- #6  Plone: Anonymous users capable to hide certain fields
from content edit forms (typeswidget.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978469 CWE: CWE-302:
Authentication Bypass by Assumed-Immutable Data

A security flaw was found in the way Plone, a user friendly and
powerful content management system, enforced immutable setting on
certain content edit forms. A remote attacker could use this flaw
to provide a specially-crafted URL that would (in a non-persistent
way) hide certain fields from these content edit forms, possibly
leading to scenario such altered forms to be erroneously accepted
by authenticated Plone user as valid.

----- #7  Plone: File system path exposure (wysiwyg.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978470 CWE: CWE-209:
Information Exposure Through an Error Message

A file system path exposure flaw was found in the way Plone, a user
friendly and powerful content management system, used to present
certain error messages in the wysiwyg component. A remote attacker
could provide a specially-crafted URL that, when processed would
lead to exposure of file system path (for the selected component)
of the Plone instance.

----- #8  Plone: Open redirect in the HTTP server implementation
(marmoset_patch.py, publish.py, principiaredirect.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978471 CWE: CWE-601:
URL Redirection to Untrusted Site ('Open Redirect')

An open redirect flaw was found in multiple components of Plone, a
user friendly and powerful content management system. Remote
attacker could provide a specially-crafted URL that when visited by
valid Plone user could lead the Plone user's session to be
redirected to external site.

Note from Matthew Wilkes: 'marmoset_patch is just a library, not
sure it's worth mentioning here'

----- #9  Plone: Multiple information exposure flaws via certain
object methods (objectmanager.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978475 CWE: CWE-200,
Information Exposure

Multiple information exposure flaws were found in the way object
manager implementation of Plone, a user friendly and powerful
content management system, protected access to its internal
methods. A remote attacker could issue a specially-crafted (URL)
request that, when processed would lead to information exposure.

----- #10 Plone: Authenticated users able to modify / delete
portraits of other users (member_portrait.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978478 CWE: CWE-267:
Privilege Defined With Unsafe Actions

A security flaw (privilege defined with unsafe actions) was found
in the way portrait handling component of Plone, a user friendly
and powerful content management system, performed portraits
management. Remote attacker, authenticated Plone user could use
this flaw to modify or delete portraits of other users.

----- #11 Plone: Authenticated users able to alter their password
despite of policy definition / setting prohibiting it
(mail_password.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978480 CWE: CWE-284:
Improper Access Control

A security flaw was found in the way Plone, a user friendly and
powerful content management system, restricted access to password
change for unauthorized users. If from policy definition Plone user
in question was not allowed to change their password, they
(previously) could still reset / change the password via forgotten 
password email functionality.

----- #12 Plone: DoS by decompressing large zip archives
(cb_decode.py, linkintegrity.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978482 CWE: CWE-400:
Uncontrolled Resource Consumption ('Resource Exhaustion')

A denial of service flaw was found in the way Plone, a user
friendly and powerful content management system, used to previously
expand certain zip archives. Remote attacker, authenticated Plone
user could issue Zip archive expand request with specially-crafted
archive that, when processed would lead to uncontrolled resources
consumption (denial of service).

----- #13 Plone: Forwarding of cookie data (session hijack) in
certain browsers (in_portal.py) 
https://bugzilla.redhat.com/show_bug.cgi?id=978485 CWE: CWE-522:
Insufficiently Protected Credentials

A security flaw was found in the way Plone, a user friendly and
powerful content management system, previously protected user's
cookie data in certain situations. A remote attacker could provide
a specially-crafted URL that, when visited by a valid Plone user
could lead to Plone user's cookie to be forwarded if the victim was
using certain browsers (possibility of session hijack).

Note from Matthew Wilkes due this one: 'Hmm. I'd argue for CWE-601
and maybe CWE-20 too. It's hard to pin down.'

-----

Could you allocate CVE identifiers for these?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR+fl9AAoJEBYNRVNeJnmT/MkQAIYebwWvV3zpuRmeFjaiJS+Q
E3dfQsBHqtBsOa8WyDiIluwawtn6BY+tWBhzeqXh3nlClATdR4VTOiK/CyCPP2w5
Gs47/Z+cesM0MiGw1ZPv2d3nIkNg2UCwWkDAf2fFqYtpeXOteZ2O+Rnt9dMP+0mi
aNOTxFfKX9HHnvGaxpvOQN8r/6mAZR3m5gcsmH51Gx73kk48bCx5c2dX1NnIxd0w
N+ZFZnyYSD/MM7xfhvI+DcM4B7/mLPXpi8bh73H5RCRFbCC3emtOpLDGNMw7js/g
1Zh9XoKc8HZg9TUzkS0vBrKSvZz5wLyClDSG/f4u8sGl7kfoCiLs1A9boKUeaYCO
8psDjc2MW6GRQQEGK68DoJymINd0WPj4n/B6TUG08qB4zU6Lh1p4BIGzVRQ9CmRI
AwrDbo1HhxfeVD1AQGAfT8Jn5t7YlVJyls6KN6t+EKKzao8TmvZ7IcN0I6yOaONs
X3Ry2TP5bFty3T3V+me8gDGmIqk0CnZCrGRt7IN5a0DzHoC5+pv3W1jhbGGgX8E8
Cm2pEUkO/C7E960UQOZEGe63ZRMF/4uOUiiuAV9hW1i6KEsR9EV8csm1T4UjCOXD
QxAKF0s1W8f6NAtck8rS0+puWxU9G36T3KeimsA0NtIQgp8qqyQ+NXb8819ID6G7
2jZYig/n7yw7n9zQXJxf
=fgV0
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]