Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 31 Jul 2013 12:57:55 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Mitre CVE assign department <cve-assign@...re.org>,
        Plone Security Team <security@...ne.org>,
        Matthew Wilkes <matthew.wilkes@...ne.org>,
        Jan Pokorny <jpokorny@...hat.com>
Subject: CVE Request -- Plone: 20130618 Hotfix (multiple vectors)

Hello Kurt, Steve, Mitre CVE assignment team, vendors,

  based on:
    [1] http://plone.org/products/plone/security/advisories/20130618-announcement

and further cooperation with Plone Security Team (many thanks to Matthew Wilkes
for issues review and comments) the [1] issues description is as follows (the *.py
scripts in the summary correspond to files from Plone 20130618 Hotfix that would
be applicable to correct that specific issue. See also Notes for particular cases though):

------
#1  Plone: DoS (infinite loop) by administrator privilege users when retrieving information for certain resources (traverser.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978449
    CWE: CWE-835 
    
    A denial of service flaw was found in the way Plone, a user friendly and powerful content management system, performed particular resource related information
    retrieval in certain cases (request interaction with internal traversal machinery). A remote attacker, having administrator privilege to certain subset of Plone
    action screens / functionality, could use this flaw to cause uncontrolled resource consumption (infinite loop) by issuing a specially-crafted request.

-----
#2  Plone: Privilege escalation due improper authorization (dataitems.py, get.py, traverseName.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978450
    CWE: CWE-285

    A privilege escalation flaw was found in the way Plone, a user friendly and powerful content management system, enforced authorization for users having
    administrator privilege access for a subtree of a particular node (access to node above that subtree was granted even when the user in question has had
    administrator privilege only for a subtree of that node). A remote attacker, with administrator user privilege to certain subtree of Plone actions /
    functionality, could use this flaw to access / alter also higher nodes.

-----
#3  Plone: Multiple cross-site scripting (XSS) flaws (spamProtect.py, pts.py, request.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978451
    CWE: CWE-79
  
    Multiple cross-site scripting (XSS) flaws were found in the way Plone, a user friendly and powerful content management system, performed sanitization of user
    provided input in web forms. A remote attacker could provide a specially-crafted URL that, when visited by authenticated Plone user could lead to arbitrary
    HTML or web script execution in the context of Plone user's session.

-----
#4  Plone: Information exposure due improper access control enforcement when generating zip archives (zip.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978453
    CWE: CWE-200, Information Exposure
         CWE-284: Improper Access Control
         CWE-285: Improper Authorization

    An information exposure flaw was found in the way zip archives generation functionality of Plone, a user friendly and powerful content management system,
    enforced user access control privileges on the content to be included into the archive. A remote attacker could use this flaw to obtain sensitive information
    (by generating a zip archive from content they would not be otherwise able to access).

-----
#5  Plone: Ability to spoof emails (sendto.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978464
    CWE: CWE-749

    A security flaw was found in the way Plone, a user friendly and powerful content management system, performed certain provided data validation when sending
    emails. A remote attacker, valid Plone user, could use this flaw to conduct email spoofing attacks.

-----
#6  Plone: Anonymous users capable to hide certain fields from content edit forms (typeswidget.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978469
    CWE: CWE-302: Authentication Bypass by Assumed-Immutable Data

    A security flaw was found in the way Plone, a user friendly and powerful content management system, enforced immutable setting on certain content edit forms.
    A remote attacker could use this flaw to provide a specially-crafted URL that would (in a non-persistent way) hide certain fields from these content edit forms,
    possibly leading to scenario such altered forms to be erroneously accepted by authenticated Plone user as valid.

-----
#7  Plone: File system path exposure (wysiwyg.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978470
    CWE: CWE-209: Information Exposure Through an Error Message

    A file system path exposure flaw was found in the way Plone, a user friendly and powerful content management system, used to present certain error messages
    in the wysiwyg component. A remote attacker could provide a specially-crafted URL that, when processed would lead to exposure of file system path (for the
    selected component) of the Plone instance.

-----
#8  Plone: Open redirect in the HTTP server implementation (marmoset_patch.py, publish.py, principiaredirect.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978471
    CWE: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

    An open redirect flaw was found in multiple components of Plone, a user friendly and powerful content management system. Remote attacker could provide
    a specially-crafted URL that when visited by valid Plone user could lead the Plone user's session to be redirected to external site.

    Note from Matthew Wilkes: 'marmoset_patch is just a library, not sure it's worth mentioning here'

-----
#9  Plone: Multiple information exposure flaws via certain object methods (objectmanager.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978475
    CWE: CWE-200, Information Exposure

    Multiple information exposure flaws were found in the way object manager implementation of Plone, a user friendly and powerful content management system,
    protected access to its internal methods. A remote attacker could issue a specially-crafted (URL) request that, when processed would lead to information exposure.

-----
#10 Plone: Authenticated users able to modify / delete portraits of other users (member_portrait.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978478
    CWE: CWE-267: Privilege Defined With Unsafe Actions

    A security flaw (privilege defined with unsafe actions) was found in the way portrait handling component of Plone, a user friendly and powerful content management
    system, performed portraits management. Remote attacker, authenticated Plone user could use this flaw to modify or delete portraits of other users.

-----
#11 Plone: Authenticated users able to alter their password despite of policy definition / setting prohibiting it (mail_password.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978480
    CWE: CWE-284: Improper Access Control

    A security flaw was found in the way Plone, a user friendly and powerful content management system, restricted access to password change for unauthorized users.
    If from policy definition Plone user in question was not allowed to change their password, they (previously) could still reset / change the password via forgotten
    password email functionality.

-----
#12 Plone: DoS by decompressing large zip archives (cb_decode.py, linkintegrity.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978482
    CWE: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

    A denial of service flaw was found in the way Plone, a user friendly and powerful content management system, used to previously expand certain zip archives.
    Remote attacker, authenticated Plone user could issue Zip archive expand request with specially-crafted archive that, when processed would lead to uncontrolled
    resources consumption (denial of service).

-----
#13 Plone: Forwarding of cookie data (session hijack) in certain browsers (in_portal.py)
    https://bugzilla.redhat.com/show_bug.cgi?id=978485
    CWE: CWE-522: Insufficiently Protected Credentials

    A security flaw was found in the way Plone, a user friendly and powerful content management system, previously protected user's cookie data in certain situations.
    A remote attacker could provide a specially-crafted URL that, when visited by a valid Plone user could lead to Plone user's cookie to be forwarded if the victim
    was using certain browsers (possibility of session hijack).

    Note from Matthew Wilkes due this one: 'Hmm. I'd argue for CWE-601 and maybe CWE-20 too. It's hard to pin down.'

-----

Could you allocate CVE identifiers for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.