Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160905215759.E575734E018@smtpvbsrv1.mitre.org>
Date: Mon,  5 Sep 2016 17:57:59 -0400 (EDT)
From: cve-assign@...re.org
To: nathan.van.gheem@...ne.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Plone multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> All of these vulnerabilities have been patched with the hotfix release
> package https://plone.org/security/hotfix/20160830 and are being
> incorporated upstream.

> 1. *filesystem information leak*: https://plone.org/security/hotfix/20160830/filesystem-information-leak
> 
> Managers had the ability to find read files from the file system that the
> system user running the plone process had access to

>> By using relative paths and guessing locations on a server Plone is
>> installed on, an attacker can read data from a target server that the
>> process running plone has permission to read. The attacker needs
>> administrator privileges on the Plone site to perform this attack.

Use CVE-2016-7135.


> 2. *Non-Persistent XSS in Plone forms*: https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms
> 
> z3c.form will currently accept data from GET requests when the form is
> supposed to be POST. This allows a user to inject a potential XSS attack
> into a form. With certain widgets in Plone admin forms, the input is
> expected to be safe and can cause a reflexive XSS attack. Additionally,
> there is potential for an attack that will trick a user into saving a
> persistent XSS.

Use CVE-2016-7136 for the entire "accept data from GET requests when
the form is supposed to be POST" issue, which apparently has security
relevance for two different reasons ("reflexive XSS" and "saving a
persistent XSS").


> 3. *open redirection*:  https://plone.org/security/hotfix/20160830/open-redirection-in-plone
> 
> In multiple places, Plone blindly uses the referer header to redirect a
> user to the next page after a particular action. An attacker could utilize
> this to draw a user into a redirection attack.

Use CVE-2016-7137.


> 4. *Non-Persistent XSS in Plone*: https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1
> 
> Plone's URL checking infrastructure includes a method for checking if URLs
> valid and located in the Plone site. By passing javascript into this
> specially crafted url, XSS can be achieved.

Use CVE-2016-7138.


> 5. *Non-persistent XSS in Plone*:
> https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone
> 
> Plone has unescaped user input in a page template that is open to XSS.

Use CVE-2016-7139. (There were two issues numbered "5" in the
http://openwall.com/lists/oss-security/2016/09/05/4 post.)


> 5. *Non-Persistent XSS in Plone Zope Management(ZMI)*:
> https://plone.org/security/hotfix/20160830/non-persistent-xss-in-zope2
> 
> In multiple places, Zope2's ZMI pages do not properly escape user input

Use CVE-2016-7140. (There were two issues numbered "5" in the
http://openwall.com/lists/oss-security/2016/09/05/4 post.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXzen4AAoJEHb/MwWLVhi2ikwP/RabVzndqLmnRSGFkekMvJoT
svRXT3P+gz9rIRa8vG2JLljYOQz4E5IyXYIljoQhGn840uf8UBZcVvtC1P1IeHJc
noAhNDXg7I13tWyaIc/h2eVCOjnRC2P/qj5fuw+9TyPBiEPZ/CIs5emDNzrRwyp1
TbBDzhyWUXHYQmtYMzJt2XzYJxHFsC4O8wx7VDx7pvGgKzqHWW50CnOi69aw6AbI
FN5InkQAUM/7ttDUcOnHG2MNMqwoTtPFLxzGBLURi3B86lhnVwEXe5vl+nCgjdCX
r42ANgFPx+xNcIuuToTHtY/pguzCTG2NUFsU8I3Zn5U7jXLs95kkDBsUr7zwWWNi
ftOwUQ79zIKaZL9eQq5cjLdB+gZqWIYaquj4d9lM04nFc7RjYYynhFzQWQmOVxeh
8+JTJ230pfnK8jpdxDACQmRZyuAh1Lo3YjLLMd2BnvgtVdWHfe4bXfb7dQiGhCsV
x0+mIgrIxEMrPuOTEGG8WmSPyqJyJpU90QxYQvjPcqKIAF9vqpFdJtiaXv977jfN
+38Tb1GvvBfSWjDFk6F+DX3isS0qwIQXhuWyVCqOCQYA7/NUVLPCvhNli9dG1Vf4
gPvBLIvmbYNF73uT/A7aZ96+3hBLuUTnhfReTqO7T7HUsf+DtrMh1P4OI13GCzA3
MHGqeXXgdxru82us5feg
=UxLJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.