News

Two security fixes were unveiled today that address vulnerabilities found in Membrane and Remember, two Plone add-ons that are typically used to extend the stock Plone membership system to use content objects (for instance to support approving members or adding extra fields to member profiles).

1. Membrane (Products.membrane)

Membrane is a Plone add-on that allows a content object in the content management system to represent a user so they can authenticate to the system. This allows the user account to be controlled via the rich set of workflow tools.

The vulnerability is an information disclosure. An anonymous user could, for example, get the e-mail address of a membrane user. The password could also be retrieved, but it is encrypted (using a one way hash that includes a salt), so it would be very difficult to crack.

To protect sites using Membrane, it is recommended to upgrade to the latest version:

• Use Products.membrane 2.1.1 for sites running Plone 3.3 or 4.x

• Use Products.membrane 1.1 for sites running Plone 3

The 1.1 version is basically the old 1.1b5 release from early 2009 with an uninstall profile added plus this security fix. Users running 1.1b5 who are concerned about a sudden big version increase to 2.1.1 should turn to version 1.1 as a safe upgrade.

2. Remember (Products.remember)

Remember is a Plone add-on that provides an implementation of a Membrane-based member that can be further customized.

The vulnerability is an information disclosure. Anonymous users could get the password hash of a Remember member. It is not an immediate problem, but it makes it easier to crack passwords.

Maurits van Rees has made three releases with this fix on PyPI, 1.1, 1.2, 1.9, all listed here:

http://pypi.python.org/pypi/Products.remember

1.1 is the old 1.1b3 release from 2009 with the security fix added.  Users concerned about a big upgrade should use that release. This release is compatible with Plone 3.x and Products.membrane 1.1. Do NOT use this release with Plone 4 or Products.membrane 2.x.

1.2 has more changes; see the changelog.  It has the changes that were done on trunk before Ken started doing bigger changes leading to the 1.9 series.  Compatible with Plone 3 and Products.membrane 1.1 or 2.x (2.1.1 recommended).  Might work on Plone 4 but the automated tests say otherwise; that might just be a problem with the tests though.

1.9 is recommended for users who are already running 1.9b1.  It is compatible with Plone 4.x and Products.membrane 2.x (2.1.1 recommended).

Recommendations

As a reminder, it is preferable to make a backup of the Data.fs (and blobstorage if applicable) before applying those upgrades, confirm it is possible to restore that backup and the previous software versions in case anything goes wrong, and test prior to releasing to a production environment.

Please contact us with any questions.