The Plone Security Team has just released a hotfix for Plone that addresses several vulnerabilities. Here is the information the Six Feet Up team has gathered about it. We highly recommend all Plone site managers apply the patch to their sites.
On September 10th, 2015 the Plone Security Team released a hotfix to address several vulnerability issues:
This hotfix should be applied to the following versions of Plone:
In accordance with the Plone version support policy at http://plone.org/support/version-support-policy, the hotfix is officially supported by the Plone Security Team for the following versions of Plone: 3.3.6, 4.1.6, 4.2.7, 4.3.6 and 5.0rc1. However it has also received some testing on older versions of Plone. The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.3.7, 5.0rc2 and greater will not require this hotfix.
Installation instructions can be found at https://plone.org/security/hotfix/20150910
Q: Is my Plone site at risk for this exploit?
A: Your site is vulnerable to the user registration exploit if you have self-registration enabled in your site. You will be affected by the header fix if you are on a version of Plone older than 4.x. You will be affected by the Kupu fix if you have Kupu installed. All sites are vulnerable to the cross-site scription (XSS) issue fixed in the URLTool.
Q: How do I know if my site has already been exploited?
A: If you are seeing hundreds of fake user registrations in your site in a very short period of time, your site was most likely exploited.
Q: How can I confirm that the hotfix is installed correctly and my site is protected?
A: On startup, the hotfix will log a number of messages to the Zope event log that look like this::
2015-09-10 03:20:08 INFO Products.PloneHotfix20150910 Applied addMember patch
The exact list of patches attempted depends on the version of Plone. If a patch is attempted but fails, it will be logged as a warning that says "Could not apply". This may indicate that you have a non-standard Plone installation.
Q: How can I report problems installing the patch?
A: Contact the Plone security team at security@plone.org, or visit the #plone channel on freenode IRC.
Q: How can I report other potential security vulnerabilities?
A: Please email the security team at security@plone.org rather than discussing potential security issues publicly.
Q: How do I get help patching my site?
A: The Six Feet Up developers stand ready to assist you. Simply contact support@sixfeetup.com. We will assist clients in the order that requests are received.