Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 01 Aug 2013 00:00:29 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Mitre CVE assign department <cve-assign@...re.org>,
        Plone Security Team <security@...ne.org>,
        Matthew Wilkes <matthew.wilkes@...ne.org>,
        Jan Pokorny <jpokorny@...hat.com>
Subject: Re: CVE Request -- Plone: 20130618 Hotfix (multiple
 vectors)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/31/2013 10:57 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, Mitre CVE assignment team, vendors,
> 
> based on: [1]
> http://plone.org/products/plone/security/advisories/20130618-announcement
>
>  and further cooperation with Plone Security Team (many thanks to
> Matthew Wilkes for issues review and comments) the [1] issues
> description is as follows (the *.py scripts in the summary
> correspond to files from Plone 20130618 Hotfix that would be
> applicable to correct that specific issue. See also Notes for
> particular cases though):


Top posting because I am lazy:

CVE-2013-4188 Plone: DoS (infinite loop) by administrator privilege
users when retrieving information for certain resources (traverser.py)

CVE-2013-4189 Plone: Privilege escalation due improper authorization
(dataitems.py, get.py, traverseName.py)

CVE-2013-4190 Plone: Multiple cross-site scripting (XSS) flaws
(spamProtect.py, pts.py, request.py)

CVE-2013-4191 Plone: Information exposure due improper access control
enforcement when generating zip archives (zip.py)

CVE-2013-4192 Plone: Ability to spoof emails (sendto.py)

CVE-2013-4193 Plone: Anonymous users capable to hide certain fields
from content edit forms (typeswidget.py)

CVE-2013-4194 Plone: File system path exposure (wysiwyg.py)

CVE-2013-4195 Plone: Open redirect in the HTTP server implementation
(marmoset_patch.py, publish.py, principiaredirect.py)

CVE-2013-4196 Plone: Multiple information exposure flaws via certain
object methods (objectmanager.py)

CVE-2013-4197 Plone: Authenticated users able to modify / delete
portraits of other users (member_portrait.py)

CVE-2013-4198 Plone: Authenticated users able to alter their password
despite of policy definition / setting prohibiting it (mail_password.py)

CVE-2013-4199 Plone: DoS by decompressing large zip archives
(cb_decode.py, linkintegrity.py)

CVE-2013-4200 Plone: Forwarding of cookie data (session hijack) in
certain browsers (in_portal.py)

> ------ #1  Plone: DoS (infinite loop) by administrator privilege
> users when retrieving information for certain resources
> (traverser.py) https://bugzilla.redhat.com/show_bug.cgi?id=978449 
> CWE: CWE-835
> 
> A denial of service flaw was found in the way Plone, a user
> friendly and powerful content management system, performed
> particular resource related information retrieval in certain cases
> (request interaction with internal traversal machinery). A remote
> attacker, having administrator privilege to certain subset of
> Plone action screens / functionality, could use this flaw to cause
> uncontrolled resource consumption (infinite loop) by issuing a
> specially-crafted request.
> 
> ----- #2  Plone: Privilege escalation due improper authorization
> (dataitems.py, get.py, traverseName.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978450 CWE: CWE-285
> 
> A privilege escalation flaw was found in the way Plone, a user
> friendly and powerful content management system, enforced
> authorization for users having administrator privilege access for a
> subtree of a particular node (access to node above that subtree was
> granted even when the user in question has had administrator
> privilege only for a subtree of that node). A remote attacker, with
> administrator user privilege to certain subtree of Plone actions / 
> functionality, could use this flaw to access / alter also higher
> nodes.
> 
> ----- #3  Plone: Multiple cross-site scripting (XSS) flaws
> (spamProtect.py, pts.py, request.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978451 CWE: CWE-79
> 
> Multiple cross-site scripting (XSS) flaws were found in the way
> Plone, a user friendly and powerful content management system,
> performed sanitization of user provided input in web forms. A
> remote attacker could provide a specially-crafted URL that, when
> visited by authenticated Plone user could lead to arbitrary HTML or
> web script execution in the context of Plone user's session.
> 
> ----- #4  Plone: Information exposure due improper access control
> enforcement when generating zip archives (zip.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978453 CWE: CWE-200,
> Information Exposure CWE-284: Improper Access Control CWE-285:
> Improper Authorization
> 
> An information exposure flaw was found in the way zip archives
> generation functionality of Plone, a user friendly and powerful
> content management system, enforced user access control privileges
> on the content to be included into the archive. A remote attacker
> could use this flaw to obtain sensitive information (by generating
> a zip archive from content they would not be otherwise able to
> access).
> 
> ----- #5  Plone: Ability to spoof emails (sendto.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978464 CWE: CWE-749
> 
> A security flaw was found in the way Plone, a user friendly and
> powerful content management system, performed certain provided data
> validation when sending emails. A remote attacker, valid Plone
> user, could use this flaw to conduct email spoofing attacks.
> 
> ----- #6  Plone: Anonymous users capable to hide certain fields
> from content edit forms (typeswidget.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978469 CWE: CWE-302:
> Authentication Bypass by Assumed-Immutable Data
> 
> A security flaw was found in the way Plone, a user friendly and
> powerful content management system, enforced immutable setting on
> certain content edit forms. A remote attacker could use this flaw
> to provide a specially-crafted URL that would (in a non-persistent
> way) hide certain fields from these content edit forms, possibly
> leading to scenario such altered forms to be erroneously accepted
> by authenticated Plone user as valid.
> 
> ----- #7  Plone: File system path exposure (wysiwyg.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978470 CWE: CWE-209:
> Information Exposure Through an Error Message
> 
> A file system path exposure flaw was found in the way Plone, a user
> friendly and powerful content management system, used to present
> certain error messages in the wysiwyg component. A remote attacker
> could provide a specially-crafted URL that, when processed would
> lead to exposure of file system path (for the selected component)
> of the Plone instance.
> 
> ----- #8  Plone: Open redirect in the HTTP server implementation
> (marmoset_patch.py, publish.py, principiaredirect.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978471 CWE: CWE-601:
> URL Redirection to Untrusted Site ('Open Redirect')
> 
> An open redirect flaw was found in multiple components of Plone, a
> user friendly and powerful content management system. Remote
> attacker could provide a specially-crafted URL that when visited by
> valid Plone user could lead the Plone user's session to be
> redirected to external site.
> 
> Note from Matthew Wilkes: 'marmoset_patch is just a library, not
> sure it's worth mentioning here'
> 
> ----- #9  Plone: Multiple information exposure flaws via certain
> object methods (objectmanager.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978475 CWE: CWE-200,
> Information Exposure
> 
> Multiple information exposure flaws were found in the way object
> manager implementation of Plone, a user friendly and powerful
> content management system, protected access to its internal
> methods. A remote attacker could issue a specially-crafted (URL)
> request that, when processed would lead to information exposure.
> 
> ----- #10 Plone: Authenticated users able to modify / delete
> portraits of other users (member_portrait.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978478 CWE: CWE-267:
> Privilege Defined With Unsafe Actions
> 
> A security flaw (privilege defined with unsafe actions) was found
> in the way portrait handling component of Plone, a user friendly
> and powerful content management system, performed portraits
> management. Remote attacker, authenticated Plone user could use
> this flaw to modify or delete portraits of other users.
> 
> ----- #11 Plone: Authenticated users able to alter their password
> despite of policy definition / setting prohibiting it
> (mail_password.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978480 CWE: CWE-284:
> Improper Access Control
> 
> A security flaw was found in the way Plone, a user friendly and
> powerful content management system, restricted access to password
> change for unauthorized users. If from policy definition Plone user
> in question was not allowed to change their password, they
> (previously) could still reset / change the password via forgotten 
> password email functionality.
> 
> ----- #12 Plone: DoS by decompressing large zip archives
> (cb_decode.py, linkintegrity.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978482 CWE: CWE-400:
> Uncontrolled Resource Consumption ('Resource Exhaustion')
> 
> A denial of service flaw was found in the way Plone, a user
> friendly and powerful content management system, used to previously
> expand certain zip archives. Remote attacker, authenticated Plone
> user could issue Zip archive expand request with specially-crafted
> archive that, when processed would lead to uncontrolled resources
> consumption (denial of service).
> 
> ----- #13 Plone: Forwarding of cookie data (session hijack) in
> certain browsers (in_portal.py) 
> https://bugzilla.redhat.com/show_bug.cgi?id=978485 CWE: CWE-522:
> Insufficiently Protected Credentials
> 
> A security flaw was found in the way Plone, a user friendly and
> powerful content management system, previously protected user's
> cookie data in certain situations. A remote attacker could provide
> a specially-crafted URL that, when visited by a valid Plone user
> could lead to Plone user's cookie to be forwarded if the victim was
> using certain browsers (possibility of session hijack).
> 
> Note from Matthew Wilkes due this one: 'Hmm. I'd argue for CWE-601
> and maybe CWE-20 too. It's hard to pin down.'
> 
> -----
> 
> Could you allocate CVE identifiers for these?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR+fl9AAoJEBYNRVNeJnmT/MkQAIYebwWvV3zpuRmeFjaiJS+Q
E3dfQsBHqtBsOa8WyDiIluwawtn6BY+tWBhzeqXh3nlClATdR4VTOiK/CyCPP2w5
Gs47/Z+cesM0MiGw1ZPv2d3nIkNg2UCwWkDAf2fFqYtpeXOteZ2O+Rnt9dMP+0mi
aNOTxFfKX9HHnvGaxpvOQN8r/6mAZR3m5gcsmH51Gx73kk48bCx5c2dX1NnIxd0w
N+ZFZnyYSD/MM7xfhvI+DcM4B7/mLPXpi8bh73H5RCRFbCC3emtOpLDGNMw7js/g
1Zh9XoKc8HZg9TUzkS0vBrKSvZz5wLyClDSG/f4u8sGl7kfoCiLs1A9boKUeaYCO
8psDjc2MW6GRQQEGK68DoJymINd0WPj4n/B6TUG08qB4zU6Lh1p4BIGzVRQ9CmRI
AwrDbo1HhxfeVD1AQGAfT8Jn5t7YlVJyls6KN6t+EKKzao8TmvZ7IcN0I6yOaONs
X3Ry2TP5bFty3T3V+me8gDGmIqk0CnZCrGRt7IN5a0DzHoC5+pv3W1jhbGGgX8E8
Cm2pEUkO/C7E960UQOZEGe63ZRMF/4uOUiiuAV9hW1i6KEsR9EV8csm1T4UjCOXD
QxAKF0s1W8f6NAtck8rS0+puWxU9G36T3KeimsA0NtIQgp8qqyQ+NXb8819ID6G7
2jZYig/n7yw7n9zQXJxf
=fgV0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.