This website places cookies on your device to give you the best user experience. By using our website, you agree to the placement of these cookies. To learn more, read our Privacy Policy.
The Plone Security Team has just released a hotfix for Plone that addresses several vulnerabilities. Here is the information the Six Feet Up team has gathered about it. We highly recommend all Plone site managers apply the patch to their sites.
PLONE HOTFIX 2015-09-10
On September 10th, 2015 the Plone Security Team released a hotfix to address several vulnerability issues:
The fix unpublishes a method that allowed bots to create users in sites with self-registration enabled. The bots would bypass the normal registration form which would defeat any protections on user registration such as CAPTCHAs.
The fix corrects setting HTTP headers on old versions of Zope (Plone 4 or 5 are unaffected)
The fix includes aKupu patch that fixes a potential permissions escallation
The fix patches Plone's URLTool to prevent specific XSS exploits
This hotfix should be applied to the following versions of Plone:
Plone 5.0rc1 and any version prior
Plone 4.3.6 and any version prior
Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3, 4.0, 4.1, and 4.2
In accordance with the Plone version support policy at http://plone.org/support/version-support-policy, the hotfix is officially supported by the Plone Security Team for thefollowing versions of Plone:3.3.6, 4.1.6, 4.2.7, 4.3.6 and 5.0rc1.However it has also received some testing on older versions of Plone.The fixes included here will be incorporated into subsequent releases of Plone,so Plone 4.3.7, 5.0rc2 and greater will not require this hotfix.
A: Your site is vulnerable to the user registration exploit if you have self-registration enabled in your site. You will be affected by the header fix if you are on a version of Plone older than 4.x. You will be affected by the Kupu fix if you have Kupu installed. All sites are vulnerable to the cross-site scription (XSS) issue fixed in the URLTool.
Q: How do I know if my site has already been exploited?
A: If you are seeing hundreds of fake user registrations in your site in a very short period of time, your site was most likely exploited.
Q: How can I confirm that the hotfix is installed correctly and my site is protected?
A: On startup, the hotfix will log a number of messages to the Zope event logthat look like this::
2015-09-10 03:20:08 INFO Products.PloneHotfix20150910 Applied addMember patch
The exact list of patches attempted depends on the version of Plone.If a patch is attempted but fails, it will be logged as a warning that says"Could not apply". This may indicate that you have a non-standard Ploneinstallation.
Q: How can I report problems installing the patch?
A: Contact the Plone security team at security@plone.org, or visit the#plone channel on freenode IRC.
Q: How can I report other potential security vulnerabilities?
A: Please email the security team at security@plone.org rather than discussingpotential security issues publicly.
Q: How do I get help patching my site?
A: The Six Feet Up developers stand ready to assist you. Simply contact support@sixfeetup.com. We will assist clients in the order that requests are received.
Thanks for filling out the form! A Six Feet Up representative will be in contact with you soon.
