Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 Jan 2017 11:33:57 -0500
From: <cve-assign@...re.org>
To: <nathan.van.gheem@...ne.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: Plone Sandbox escape vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [] Accessing private content via `str.format` in through-the-web templates
> and scripts. See this blog post by Armin Ronacher (
> http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/) for the
> general idea. Since the `format` method was introduced in Python 2.6, this
> part of the hotfix is only relevant for Plone 4 and 5, not Plone 3.
>     Credit: Plone security team, Armin Ronacher
>     Reference: https://plone.org/security/hotfix/20170117/sandbox-escape
> 
> Versions Affected:
> 4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version
> 
> Code fixes:
> https://pypi.python.org/pypi/Products.PloneHotfix20170117

Use CVE-2017-5524.

The scope of this CVE does not include the "reflected Cross Site
Scripting attack (XSS) in the ZMI (manage_findResult)" mentioned on
the PloneHotfix20170117 page. If that still needs a CVE ID, please let
us know.

In the http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/ post,
the exploitation scenarios are:

>     untrusted translators on string files. This is a big one because
>     many applications that are translated into multiple languages will
>     use new-style Python string formatting and not everybody will vet
>     all the strings that come in.

We do not feel that a CVE would have been needed if this were the only
exploitation scenario. We do not think there is a security boundary
between "people who can contribute arbitrary code to a product" and
"people who can contribute code that expresses translations." However,
it is possible that an open-source project exists somewhere with a
completely untrusted channel for translators.

>     user exposed configuration. One some systems users might be
>     permitted to configure some behavior and that might be exposed as
>     format strings. In particular I have seen it where users can
>     configure notification mails, log message formats or other basic
>     templates in web applications.

This one seems completely valid, and might be the primary exploitation
scenario for CVE-2017-5524.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYf5iGAAoJEHb/MwWLVhi27kcQAJHT6gBPBNBX+bevBoRdfS2h
NtBgjZrd1s2KVCPnCdZGfnayAFz4nhtaSPul1riqH4on/krV9QkxZmRXxV/8R8ic
IfmTWjg4DRuzYYwSGKKhrlNQa4OVWFVT/us4Rv4XDJwPTOXpf5qKFGjisp7udw8i
SmFFTEYUV6r26ons2Q5u5RQenmiml3gdiS48XTQ5RFVXRNRKpCeswM1E+kG+S6bV
G4Bx8QYUcRvCrRV2W1gEEjxBiI65FyOBQTX3jDg/N7DSn9v4dX4gZaSrbUaHIqLB
YAzuTD4liH/G3ABAUQf3C2uiGEYbDUjGb4v5DFptcGr+xHMx3gtak3sJS+BS2mXq
nrClrpO9BBoYFgQxV6QRTAEpuDoiAfcv6lB/Uj4/90Ub+hrqf94uqyS6XlGzyaxq
r8kWPiVuUf8YbUVfT5H5YSeRZVH1gMK16Mci/4EWw3Al25CuK+HwrIZT/oA7ljez
BL+zGzDGMPoIsHmge+PIS9yEbRvZ05Bim8p4yCE/0nFpWhipALEhNshADgVpkLME
338NhrrW1fyNQoOCggacrcHp51hqpaAVRzJ5yM8DTmMz+SmAGhq2vemqFageQkyr
B+P3VsnBCEFofULAXPgYYN1+Ub4tkWaO3enYCZ2YJIFe/Zj6ysKLnEW42l2edRNz
T2eqS7U/9gxzMdHRkqIn
=97Au
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.