Historic Plone Security Vulnerability

February 3, 2011 Leave a Comment

I spent a lot of time researching the right CMS to choose as our enterprise CMS before deciding on Plone. What really impressed about Plone was its security record. It was dang near perfect. Today was a bit of a surprise for me but again, the folks at the Plone Foundation came through with a great work around and a soon to be released patch.

A vulnerability in Plone 2.5 to Plone 4.0 that allows anonymous users to gain manager access to a Plone site.

This is an escalation of privileges attack that can be used by anonymous users to gain access to a Plone site’s administration controls, view unpublished content, create new content and modify a site’s skin.  The sandbox protecting access to the underlying system is still in place, and it does not grant access to other applications running on the same Zope instance.

All versions of Plone since 2.5 are affected, viz. 2.5, 3.0, 3.1, 3.2, 3.3, 4.0; including all minor and development revisions of these versions.

Due to the severity of this issue Plone is providing an advance warning of an upcoming patch, which will be released on this page at 1600 GMT on Tuesday 8th February 2011.

Workaround

Due to the nature of the vulnerability, the security team has decided to pre-announce that a fix is upcoming before disclosing the details, to ensure that concerned users can plan around the release.  As the fix being published will make the details of the vulnerability public the Plone Foundation is recommending that all users plan a maintenance window for 30 minutes either side of the announcement where your site is completely inaccessible in which to install the fix.

If you cannot have this time offline they STRONGLY recommend that you take one of the following steps to protect your site from before the announcement until you apply the fix:

  1. Make your database read-only.
  2. Alternatively, if this option isn’t possible due to not using one of the standard ZODB backends, disable logins by filtering HTTP authentication and cookies in Apache or Varnish.

These do not need to be in place for the entire week but should already be in place before the fix and vulnerability details are released next week.  By preventing modifications to your site and patching your site quickly you remove the incentive for potential attackers to attempt this attack.

Advertisement

Filed under Plone and Windows

About Jason
Currently I manage an award winning information portal for Durham Public Schools. I joined Durham Public Schools in 2005. As of 2009 Durham Public Schools has won 4 awards from NCSPRA for excellence in web design. In 2005 and 2006 DPS won awards for best Website for a School District among the schools districts of North Carolina. For 2007 we won 2 awards for our Construction Bond website and our Guatemala blog. In 2009 we won the National School Public Relations Association Merit award for our Graduation Project Website. At MadTek, I was responsible for the design, development, usability and deployment of the company’s information technology, web portal and business relationships. I founded MadTek, a technology consulting and web hosting company, in 1997. In 2002 MadTek became MadTek LLC. Madtek clients included: Duke University, DukeHealth, Chicago Medical Society, State of Illinois Neurosurgical Society, Precision Response Corporation, and the US Fish and Wildlife Service. From 2000-2002, I was Vice President Web Operations for RateWatch, Inc., a financial reporting and services company servicing a network of 5000 banks and credit unions. At RateWatch I was responsible for developing and implementing AmazingRates.com. an online service for identifying the best Certificate of Deposit buys for consumers by comparing the rates of over 20,000 financial institutions. My work included developing the user interface, web site, gathering tools and a set of best usability practices for the company. During the period 1998-2000, I was Consulting & Support Services Director for CyFi.com, a web development and hosting company servicing financial institutions. At CyFi I was responsible for search engine and security analysis, as well as usability and regulatory compliance. From 1997 to 1998, I was a Web Developer for AT&T WorldNet and a member of the team responsible for building and implementing AT&T’s Knowledge Management System. Specialties Usability analysis, information architecture, managed portal and consulting services.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.