Personal tools

Contact Us 24/7 > 1 866.SIX FEET

Skip to content. | Skip to navigation

Home > About > News & Events > News > Six Feet Up Recommends Upgrading Membrane and Remember

EVERYONE.NET SCHEDULED MAINTENANCE will be performing maintenance on their databases Friday October 28th, 2016 between 9:00PM PT to 3:00AM PT / 12:00AM ET to 06:00AM ET. During this time, all services including web mail, POP, IMAP, and SMTP relay may experience degraded performance and inbound mail delivery delays. We apologize for any inconvenience.

Six Feet Up Recommends Upgrading Membrane and Remember

December 02, 2011

Two security fixes were unveiled today that address vulnerabilities found in Membrane and Remember, two Plone add-ons that are typically used to extend the stock Plone membership system to use content objects (for instance to support approving members or adding extra fields to member profiles).

1. Membrane (Products.membrane)

Membrane is a Plone add-on that allows a content object in the content management system to represent a user so they can authenticate to the system. This allows the user account to be controlled via the rich set of workflow tools.

The vulnerability is an information disclosure. An anonymous user could, for example, get the e-mail address of a membrane user. The password could also be retrieved, but it is encrypted (using a one way hash that includes a salt), so it would be very difficult to crack.

To protect sites using Membrane, it is recommended to upgrade to the latest version:


The 1.1 version is basically the old 1.1b5 release from early 2009 with an uninstall profile added plus this security fix. Users running 1.1b5 who are concerned about a sudden big version increase to 2.1.1 should turn to version 1.1 as a safe upgrade.

2. Remember (Products.remember)

Remember is a Plone add-on that provides an implementation of a Membrane-based member that can be further customized.

The vulnerability is an information disclosure. Anonymous users could get the password hash of a Remember member. It is not an immediate problem, but it makes it easier to crack passwords.

Maurits van Rees has made three releases with this fix on PyPI, 1.1, 1.2, 1.9, all listed here:

1.1 is the old 1.1b3 release from 2009 with the security fix added.  Users concerned about a big upgrade should use that release. This release is compatible with Plone 3.x and Products.membrane 1.1. Do NOT use this release with Plone 4 or Products.membrane 2.x.

1.2 has more changes; see the changelog.  It has the changes that were done on trunk before Ken started doing bigger changes leading to the 1.9 series.  Compatible with Plone 3 and Products.membrane 1.1 or 2.x (2.1.1 recommended).  Might work on Plone 4 but the automated tests say otherwise; that might just be a problem with the tests though.

1.9 is recommended for users who are already running 1.9b1.  It is compatible with Plone 4.x and Products.membrane 2.x (2.1.1 recommended).


As a reminder, it is preferable to make a backup of the Data.fs (and blobstorage if applicable) before applying those upgrades, confirm it is possible to restore that backup and the previous software versions in case anything goes wrong, and test prior to releasing to a production environment.

Please contact us with any questions.

Next Steps

Select a type of support:

Contact our sales team

First name:
Last name:
Phone Number:
Fight spam:
What is + ?
Call Us 1 866.SIX FEET