On October 6th, 2015 the Plone Security Team released a hotfix to address multiple CSRF vulnerability issues in the Zope Management Interface (ZMI):
- An attacker could trick a Plone administrator into clicking on a link in an email or external site to manipulate their site's ZMI unintentionally.
- This patch backports to Plone 4.x the new auto CSRF protection framework that is included in Plone 5.
NGINX/APACHE PROXY BLOCK RULES AS WORKAROUND
If you are on versions of Plone prior to 4.x, we recommend that you upgrade or block ZMI access from the public.
Whether you use Nginx or Apache, these rules must appear first; they must come before the “location /” rule.
Use this block rule for Nginx:
location ~ /manage(_.+)?$ {
deny all;
}
Use this block rule for Apache:
RewriteRule ^(.*)manage(.*) - [L,NC]
<LocationMatch "^/(manage|manage_main|(.*)/manage(.*))" >
Deny from all
</LocationMatch>
While you are working out the patch’s effect on your site, we strongly recommend you implement the above Nginx and Apache block rules.
PLONE VERSIONS SUPPORTED
This hotfix should be applied to the following versions of Plone:
- Plone 4.X and any version prior
- Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3 will need to block access to the ZMI using a web server workaround and also block access to the running Zope instance directly.
In accordance with the Plone version support policy at http://plone.org/support/version-support-policy, the hotfix is officially supported by the Plone Security Team for the following versions of Plone: 4.1.6, 4.2.7 and 4.3.7. The fixes are already included in the current release of Plone 5.0 and greater will not require this hotfix.
INSTALLATION GUIDELINES
FREQUENTLY ASKED QUESTIONS
Q: Is my Plone site at risk for this exploit?
A: All version of Plone prior to the latest 5.0 release are at risk for this exploit. This patch backports to Plone 4.x the new auto CSRF protection framework that is included in Plone 5.
Q: How do I know if my site has already been exploited?
A: There are no known exploits regarding the CSRF issues that have been patched.
Q: How can I confirm that the hotfix is installed correctly and my site is protected?
A: Ensure that the plone4.csrffixes package is installed on your site. You can tell that it is active if, when you are logged in, you see that edit bar links include `_authenticator` values in the URL.
Q: How can I report problems installing the patch?
A: Contact the Plone security team at security@plone.org, or visit the #plone channel on freenode IRC.
Q: How can I report other potential security vulnerabilities?
A: Please email the security team at security@plone.org rather than discussing potential security issues publicly.
Q: How do I get help patching my site?
A: The Six Feet Up developers stand ready to assist you. Simply contact support@sixfeetup.com. We will assist clients in the order that requests are received. 
