Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <l87a6f$3f1$1@ger.gmane.org>
Date: Tue, 10 Dec 2013 14:58:37 +0000
From: Matthew Wilkes <matthew@...thewwilkes.co.uk>
To: oss-security@...ts.openwall.com
Subject: CVE request for Plone

Hello all,

I'd like to request some CVEs for Plone as we have a hotfix release today.


Filesystem path information leak
--------------------------------

First up, we have a vulnerability that allows people to find the install 
path of Plone on a server. I can't actually think of any attacks that 
happen with this, but we had a CVE assigned for it before so I'm 
requesting another.

Details, including source links are at:
     https://plone.org/security/20131210/path-leak


Privilege escalation through exposed underlying API
---------------------------------------------------

Plone's searching infrastructure is based on CMF's, which is based on 
Zope's. Plone wraps the search API with additional filters for 
permissions and expired content. One of the methods that allows 
searching wasn't so wrapped, so people who can write untrusted Python 
can gain access to content they aren't authorised to. In addition, this 
can accidentally expose information.

Details, including source links are at:
     https://plone.org/security/20131210/catalogue-exposure





In addition, we are releasing two patches to vulnerabilities in Zope 
today. Can somebody advise if these should be merged?


Reflexive XSS in browser_id_manager
-----------------------------------

Zope's session infrastructure includes a method for encoding URLs, which 
is accessible through the web. By passing HTML into this method a 
reflexive XSS attack can be achieved.

Details, including source links are at:
     https://plone.org/security/20131210/zope-xss-in-browseridmanager


Reflexive XSS in OFS.Image
--------------------------

Zope's image objects include a method for generating tags, which allow 
for arbitrary classes to be included. This method is accessible through 
the web and these classes are not sanitised, so the image tag can be 
broken out of and arbitrary HTML included.

Details, including source links are at:
     https://plone.org/security/20131210/zope-xss-in-OFS


Thanks for your attention,

Matt

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.