Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 19 Jul 2013 14:53:56 +0100
From: Matthew Wilkes <matt@...distillery.eu>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request - PloneFormGen, multiple vulnerabilities

 > Sorry thought i had replied to this. I need links to the code
> commits/vuln code so I can confirm these.
>
> To reiterate: so I can confirm CVE assignments, and prevent duplicate
> assignments you *MUST* provide links to the code commits/vulnerable
> code. I don't have the time to go hunting through your source code for
> them. People need to start making better CVE requests, or you're not
> going to get CVEs from me.

Sorry, I wasn't aware you'd be wanting to trawl through the source
yourself, tried to provide enough context in the original.



# Execute arbitrary shell commands
**CVSSv2 base score**: 10

CWE-78 - Improper Neutralisation of Special Elements used in an OS Command
CWE-573 - Improper Following of Specification by Caller
CWE-749 - Exposed dangerous method or function

Passing a urlencoded shell command to a support function that is
accessible through the web causes that shell command to be run with the
same privileges as the Zope server.

Vulnerable code:
https://github.com/smcmahon/Products.PloneFormGen/blob/1.7.8/Products/PloneFormGen/content/ya_gpg.py#L99-L100

Fixed by:
https://github.com/smcmahon/Products.PloneFormGen/commit/405daa4ee0248ea7f0af84d46cb551b652123454#L1L100



# Set custom script body
**CVSSv2 base score**: 8.2
CWE-306 - Missing authentication for critical resource
CWE-749 - Exposed dangerous method or function

When using a custom script action adapter, it is possible for anonymous
users to overwrite the content of the script. This allows an attacker
complete control over what happens to the received data. The script is
executed within Zope's RestrictedPython environment, however, so it
doesn't allow escape from the process sandbox.

Vulnerable code:
https://github.com/smcmahon/Products.PloneFormGen/blob/6e3bf62685b203f75720d7b475013fd7f51b43ca/Products/PloneFormGen/content/customScriptAdapter.py#L156-L159

Fixed by:
https://github.com/smcmahon/Products.PloneFormGen/commit/c30eaa22d3b87a3f0e38ac5253a09427c71a14fa#L1L156
Fixed by:
https://github.com/smcmahon/Products.PloneFormGen/commit/e95ae713709bc47a7eecbff872c465413e8cf529#L1R158



# Can set body of mail template on mailer object
**CVSSv2 base score**: 7.5
CWE-863 - Incorrect authorization
CWE-749 - Exposed dangerous method or function

An unused method has a declarePublic call, allowing anyone to invoke it.
This allows any PloneFormGen form with a mailer object to have the email
template modified by anonymous users. As the template is a ZPT object it
can include inline Python expressions evaluated in the process sandbox.

Vulnerable code:
https://github.com/smcmahon/Products.PloneFormGen/blob/6e3bf62685b203f75720d7b475013fd7f51b43ca/Products/PloneFormGen/content/formMailerAdapter.py#L569-L581

Fixed by:
https://github.com/smcmahon/Products.PloneFormGen/commit/083354988faadb0314d7059e57aad41d81cd17e0#L1L569



# Insufficient CSRF protection on SaveData adapter allows changing data
**CVSSv2 base score**: 6.3
CWE-352 - Cross-site request forgery (CSRF)
CWE-749 - Exposed dangerous method or function

If a privileged user is tricked into accessing an attacker controlled
URL, it is possible to craft a request which would allow setting the
saved data to any value, thus compromising the integrity of the data.

Vulnerable code:
https://github.com/smcmahon/Products.PloneFormGen/blob/master/Products/PloneFormGen/content/saveDataAdapter.py#L185-L208



# Can determine the success page without filling in form
**CVSSv2 base score**: 5
CWE-767 - Access to critical private variable via public method

Often this is just a thank you page, however it is used by some users to
expose access to a private URL or further logic. In this case it *may*
provide an attacker with access to sensitive information.

Vulnerable code:
https://github.com/smcmahon/Products.PloneFormGen/blob/6e3bf62685b203f75720d7b475013fd7f51b43ca/Products/PloneFormGen/content/form.py#L628-L670

Fixed by:
https://github.com/smcmahon/Products.PloneFormGen/commit/d68227e9e5d654758ee1a711fc0af78d4a6a3c66


# Render body of mail template on mailer object
**CVSSv2 base score**: 5
CWE-767 - Access to critical private variable via public method

Like the above attack, this allows users who have not filled in a form
to see the email they would have received if they had. It stacks with
the set body vulnerability to allow the attacker to execute Python
embedded in the custom template.

Fixed in:
https://github.com/smcmahon/Products.PloneFormGen/blob/master/Products/PloneFormGen/content/formMailerAdapter.py#L503-L507



# Run ScriptAdapter script without submitting form
**CVSSv2 base score**: 5 (???)
CWE-767 - Access to critical private variable via public method

As above, but with the set custom script body vulnerability. The effect
of running the script varies by deployment.

Fixed in:
https://github.com/smcmahon/Products.PloneFormGen/blob/master/Products/PloneFormGen/content/customScriptAdapter.py#L137-L141



# Can add spurious blank records to SaveDataAdapter
**CVSSv2 base score**: 5
CWE-306 - Missing authentication for critical resource
CWE-20 - Improper input validation
CWE-749 - Exposed dangerous method or function

When using the default action adapter for saving data, it's possible to
create blank, likely invalid records. A malicious user could automate
this to add many invalid responses.

Fixed in:
https://github.com/smcmahon/Products.PloneFormGen/commit/de053133678b07e2fedfa44fa59ba28350fc76af#L1R103



# Can enable or disable form actions
**CVSSv2 base score**: 4.3
CWE-306 - Missing authentication for critical resource
CWE-352 - Cross-site request forgery

If the ids of the action adapters within a form are known, it is possible to
disable or enable them as an anonymous user. This would allow an attacker to
effectively disable the form, or to redirect input.

Fixed in:
https://github.com/smcmahon/Products.PloneFormGen/commit/bdec524555d0614ce35722082f740ec5e51d27e8#L1L1017




# Vector for determining user details in XSS attacks
**CVSSv2 base score**: 3.5 (???)
CWE-352 - Cross-site request forgery
CWE-359 - Privacy violation

Fixed in:
https://github.com/smcmahon/Products.PloneFormGen/commit/bdec524555d0614ce35722082f740ec5e51d27e8





I think that should be all you asked for, please let me know if not.

Matt


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3748 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.