Contact Us
24/7
Python BlogDjango BlogSearch for Kubernetes Big DataSearch for Kubernetes AWS BlogCloud Services

News

<< All NewsPlone Hotfix 20151006 Released

Plone Hotfix 20151006 Released

October 7, 2015

On October 6th, 2015 the Plone Security Team released a hotfix to address multiple CSRF vulnerability issues in the Zope Management Interface (ZMI):

NGINX/APACHE PROXY BLOCK RULES AS WORKAROUND

If you are on versions of Plone prior to 4.x, we recommend that you upgrade or block ZMI access from the public.

Whether you use Nginx or Apache, these rules must appear first; they must come before the “location /” rule.

Use this block rule for Nginx:

location ~ /manage(_.+)?$ {

deny all;

}

Use this block rule for Apache:

RewriteRule ^(.*)manage(.*) - [L,NC]

<LocationMatch "^/(manage|manage_main|(.*)/manage(.*))" >

Deny from all

</LocationMatch>

While you are working out the patch’s effect on your site, we strongly recommend you implement the above Nginx and Apache block rules.

PLONE VERSIONS SUPPORTED

This hotfix should be applied to the following versions of Plone:

In accordance with the Plone version support policy at http://plone.org/support/version-support-policy, the hotfix is officially supported by the Plone Security Team for the following versions of Plone: 4.1.6, 4.2.7 and 4.3.7. The fixes are already included in the current release of Plone 5.0 and greater will not require this hotfix.

INSTALLATION GUIDELINES

Installation instructions can be found at https://plone.org/security/hotfix/20151006

FREQUENTLY ASKED QUESTIONS

Q: Is my Plone site at risk for this exploit?

A: All version of Plone prior to the latest 5.0 release are at risk for this exploit. This patch backports to Plone 4.x the new auto CSRF protection framework that is included in Plone 5.

Q: How do I know if my site has already been exploited?

A: There are no known exploits regarding the CSRF issues that have been patched.

Q: How can I confirm that the hotfix is installed correctly and my site is protected?

A: Ensure that the plone4.csrffixes package is installed on your site. You can tell that it is active if, when you are logged in, you see that edit bar links include `_authenticator` values in the URL.

Q: How can I report problems installing the patch?

A: Contact the Plone security team at security@plone.org, or visit the #plone channel on freenode IRC.

Q: How can I report other potential security vulnerabilities?

A: Please email the security team at security@plone.org rather than discussing potential security issues publicly.

Q: How do I get help patching my site?

A: The Six Feet Up developers stand ready to assist you. Simply contact support@sixfeetup.com. We will assist clients in the order that requests are received.

How can we assist you in reaching your objectives?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.