Hotfixes for critical vulnerabilities in CMS Plone [Update]
The Plone content management system development team have released updates to fix two critical vulnerabilities, which could be exploited by attackers to gain control over a web server. Plone uses the Python-based Zope web applications server and is considered a flexible CMS for large websites.
The vulnerabilities result from bugs in the statusmessages and linkintegrity modules, which cause Plone to interpret certain received data incorrectly as Python pickles(serialisation strings). The Python pickles package is used to save session data. This apparently makes it possible to execute Python code with the privileges of the Zope/Plone process. In principle it is the pickles package which is at fault here, as it does not provide protection from malicious data. Developers should check data closely before continuing to work with this module.
Plone 2.5 to 2.5.4 and Plone 3.0 to 3.0.2 are affected. Hotfixes which resolve the problem are available. The bug is fixed in the forthcoming versions 2.5.5 and 3.0.3. Previous versions, such as 2.1.x and earlier are not vulnerable.
In a statement, Plone developer Martijn Pieters and discoverer of the vulnerabilities Andreas Zeidler have explicitly told heise Security that use of pickle is not just fraught with potential dangers - the module is fundamentally non-secure if you use it for handling user supplied input. Both strongly advise against using pickle in such cases. The hotfix means that pickle is no longer used in Plone. Other web applications which use pickle remain vulnerable.
- Plone Hotfix 20071106, description on plone.org
- CVE-2007-5741: Unsafe data interpreted as pickles, security advisory on plone.org