Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Dec 2013 14:58:37 +0000
From: Matthew Wilkes <matthew@...thewwilkes.co.uk>
To: oss-security@...ts.openwall.com
Subject: CVE request for Plone

Hello all,

I'd like to request some CVEs for Plone as we have a hotfix release today.


Filesystem path information leak
--------------------------------

First up, we have a vulnerability that allows people to find the install 
path of Plone on a server. I can't actually think of any attacks that 
happen with this, but we had a CVE assigned for it before so I'm 
requesting another.

Details, including source links are at:
     https://plone.org/security/20131210/path-leak


Privilege escalation through exposed underlying API
---------------------------------------------------

Plone's searching infrastructure is based on CMF's, which is based on 
Zope's. Plone wraps the search API with additional filters for 
permissions and expired content. One of the methods that allows 
searching wasn't so wrapped, so people who can write untrusted Python 
can gain access to content they aren't authorised to. In addition, this 
can accidentally expose information.

Details, including source links are at:
     https://plone.org/security/20131210/catalogue-exposure





In addition, we are releasing two patches to vulnerabilities in Zope 
today. Can somebody advise if these should be merged?


Reflexive XSS in browser_id_manager
-----------------------------------

Zope's session infrastructure includes a method for encoding URLs, which 
is accessible through the web. By passing HTML into this method a 
reflexive XSS attack can be achieved.

Details, including source links are at:
     https://plone.org/security/20131210/zope-xss-in-browseridmanager


Reflexive XSS in OFS.Image
--------------------------

Zope's image objects include a method for generating tags, which allow 
for arbitrary classes to be included. This method is accessible through 
the web and these classes are not sanitised, so the image tag can be 
broken out of and arbitrary HTML included.

Details, including source links are at:
     https://plone.org/security/20131210/zope-xss-in-OFS


Thanks for your attention,

Matt


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.