Personal tools

Contact Us 24/7 > 1 866.SIX FEET
Sections

Skip to content. | Skip to navigation

Home > About > News & Events > News > Plone Hotfix 20151006 Released
12/01/16

EVERYONE.NET SCHEDULED MAINTENANCE 

Everyone.net will be performing maintenance on their databases Friday December 2nd, 2016 between 9:00PM PT to 3:00AM PT / 12:00AM ET to 06:00AM ET. During this time, all services including web mail, POP, IMAP, and SMTP relay may experience degraded performance and inbound mail delivery delays. We apologize for any inconvenience.

Plone Hotfix 20151006 Released

October 07, 2015

Plone Hotfix 20151006 Released
On October 6th, 2015 the Plone Security Team released a hotfix to address multiple CSRF vulnerability issues in the Zope Management Interface (ZMI):
 
  • An attacker could trick a Plone administrator into clicking on a link in an email or external site to manipulate their site's ZMI unintentionally.
  • This patch backports to Plone 4.x the new auto CSRF protection framework that is included in Plone 5.

NGINX/APACHE PROXY BLOCK RULES AS WORKAROUND 

If you are on versions of Plone prior to 4.x, we recommend that you upgrade or block ZMI access from the public.
Whether you use Nginx or Apache, these rules must appear first; they must come before the “location /” rule.
 
Use this block rule for Nginx:
 
location  ~ /manage(_.+)?$ {
 deny all;
}
 
Use this block rule for Apache:
 
RewriteRule ^(.*)manage(.*) - [L,NC]
<LocationMatch "^/(manage|manage_main|(.*)/manage(.*))" >
 Deny from all
</LocationMatch>
 
While you are working out the patch’s effect on your site, we strongly recommend you implement the above Nginx and Apache block rules.
 

PLONE VERSIONS SUPPORTED

This hotfix should be applied to the following versions of Plone:
 
  • Plone 4.X and any version prior
  • Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3 will need to block access to the ZMI using a web server workaround and also block access to the running Zope instance directly.
 
In accordance with the Plone version support policy at http://plone.org/support/version-support-policy, the hotfix is officially supported by the Plone Security Team for the following versions of Plone: 4.1.6, 4.2.7 and 4.3.7. The fixes are already included in the current release of Plone 5.0 and greater will not require this hotfix.
 

INSTALLATION GUIDELINES

Installation instructions can be found at https://plone.org/products/plone-hotfix/releases/20151006
 

FREQUENTLY ASKED QUESTIONS

Q: Is my Plone site at risk for this exploit?
  A: All version of Plone prior to the latest 5.0 release are at risk for this exploit. This patch backports to Plone 4.x the new auto CSRF protection framework that is included in Plone 5.
  
Q: How do I know if my site has already been exploited?
  A: There are no known exploits regarding the CSRF issues that have been patched.
 
Q: How can I confirm that the hotfix is installed correctly and my site is protected?
  A: Ensure that the plone4.csrffixes package is installed on your site. You can tell that it is active if, when you are logged in, you see that edit bar links include `_authenticator` values in the URL.
 
Q: How can I report problems installing the patch?
  A: Contact the Plone security team at security@plone.org, or visit the #plone channel on freenode IRC.
 
Q: How can I report other potential security vulnerabilities?
  A: Please email the security team at security@plone.org rather than discussing potential security issues publicly.
  
Q: How do I get help patching my site?
  A: The Six Feet Up developers stand ready to assist you. Simply contact support@sixfeetup.com. We will assist clients in the order that requests are received.

Next Steps


Select a type of support:

Contact our sales team

First name:
Last name:
Email:
Phone Number:
Message:
Fight spam:
What is + ?
 
Call Us 1 866.SIX FEET
Sections