Plone releases fixes for 24 vulnerabilities
After last week's alert that Zope and the Plone CMS are vulnerable to 24 security holes that could have led to privilege escalation and code injection, the developers have now released a hotfix for Plone that closes them. The hotfix has been tested with Plone 4.2, Plone 4.1, Plone 4, Plone 3, Plone 2.5 and Plone 2.1. An FAQ and other information on the problems is also available.
The list of flaws is, as expected, extensive: issues include the ability for anonymous users to execute arbitrary Python in the admin interface, crafting of URLs which can log users out, an ability to escape the Python sandbox, XSS issues, permissions bypasses, denial of service through unsanitised inputs or by requesting large collections, anonymous manipulation of content item titles, unauthorised downloading of BLOB content, password timing attacks and more.
According to Plone Security Team Member Matthew Wilkes, some of the vulnerabilties affect only Plone 3 or Plone 4, others are in Zope or other libraries. Although many of the issues are relatively minor, there are some serious issues within the 24 vulnerabilities. The developers have not broken down the vulnerabilities publicly by which version or location is affected, but have ensured that applying the hotfix to any vulnerable version of Plone removes the risk. Many of the issues were found by the Plone Security Team who had been conducting an audit of the code, although some were reported by users.