Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 7 Jan 2017 06:26:27 -0600
From: Nathan Van Gheem <nathan.van.gheem@...ne.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Plone Multiple Vulnerabilities

Well, okay.

Turns out CVEs were indeed already issued for these disclosures.

I was pointed to https://vuldb.com/?id.92694 and so was told to get CVEs
quickly.

https://vuldb.com/?id.92694 -- seems like the reporter also requested his
own CVEs under different groupings and now we have duplication
disclosures/cves with classification conflicts.

Not sure what to do about the duplicates but you can ignore this request.

On Sat, Jan 7, 2017 at 5:54 AM, Nathan Van Gheem <nathan.van.gheem@...ne.org
> wrote:

> Dear oss-security List,
>
> Please provide CVEs for the following 6 issues:
>
> 1) Filesystem information leak
> A vulnerability that allows remote attackers to obtain information on
> files on the server
> Credit: Sebastian Perez
> Impact: By using relative paths and guessing locations on a server Plone
> is installed on, an attacker can read data from a target server that the
> process running plone has permission to read. The attacker needs
> administrator privileges on the Plone site to perform this attack.
> Reference: https://plone.org/security/hotfix/20160830/filesystem-
> information-leak
>
> 2) Non-Persistent XSS in Plone forms
> z3c.form will currently accept data from GET requests when the form is
> supposed to be POST. This allows a user to inject a potential XSS attack
> into a form. With certain widgets in Plone admin forms, the input is
> expected to be safe and can cause a reflexive XSS attack. Additionally,
> there is potential for an attack that will trick a user into saving a
> persistent XSS.
> Credit: Sebastian Perez
> Reference: https://plone.org/security/hotfix/20160830/non-
> persistent-xss-in-plone-forms
>
>
> 3) Open Redirection
> In multiple places, Plone blindly uses the referer header to redirect a
> user to the next page after a particular action. An attacker could utilize
> this to draw a user into a redirection attack.
> Credit: Sebastian Perez
> Reference: https://plone.org/security/hotfix/20160830/open-
> redirection-in-plone
>
>
> 4) Non-Persistent XSS
> Plone's URL checking infrastructure includes a method for checking if URLs
> valid and located in the Plone site. By passing javascript into this
> specially crafted url, XSS can be achieved.
> Credit: Sebastian Perez
> Reference: https://plone.org/security/hotfix/20160830/non-
> persistent-xss-in-plone-1
>
>
> 5) Non-Persistent XSS on user form
> Plone has unescaped user input in a page template that is open to XSS
> Credit: Sebastian Perez
> Reference: https://plone.org/security/hotfix/20160830/non-
> persistent-xss-in-plone
>
>
> 6) Non-Persistent XSS in Zope2
> In multiple places, Zope2's ZMI pages do not properly escape user input
> Credit: Sebastian Perez
> Reference: https://plone.org/security/hotfix/20160830/non-
> persistent-xss-in-zope2
>
>
>
> Versions Affected:
> 4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version
>
> Code fixes:
> https://pypi.python.org/pypi/Products.PloneHotfix20160830
>
> Recommended action:
> Install the https://pypi.python.org/pypi/Products.PloneHotfix20160830
> package.
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.