News

The Plone Security Team has just released a hotfix for Plone that addresses several vulnerabilities. Here is the information the Six Feet Up team has gathered about it. We highly recommend all Plone site managers apply the patch to their sites.

PLONE HOTFIX 2015-09-10

On September 10th, 2015 the Plone Security Team released a hotfix to address several vulnerability issues:

• The fix unpublishes a method that allowed bots to create users in sites with self-registration enabled. The bots would bypass the normal registration form which would defeat any protections on user registration such as CAPTCHAs.
• The fix corrects setting HTTP headers on old versions of Zope (Plone 4 or 5 are unaffected)
• The fix includes a Kupu patch that fixes a potential permissions escallation
• The fix patches Plone's URLTool to prevent specific XSS exploits

This hotfix should be applied to the following versions of Plone:

• Plone 5.0rc1 and any version prior
• Plone 4.3.6 and any version prior
• Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3, 4.0, 4.1, and 4.2

In accordance with the Plone version support policy at http://plone.org/support/version-support-policy, the hotfix is officially supported by the Plone Security Team for the following versions of Plone: 3.3.6, 4.1.6, 4.2.7, 4.3.6 and 5.0rc1. However it has also received some testing on older versions of Plone. The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.3.7, 5.0rc2 and greater will not require this hotfix.

INSTALLATION GUIDELINES

Installation instructions can be found at https://plone.org/security/hotfix/20150910

FREQUENTLY ASKED QUESTIONS

Q: Is my Plone site at risk for this exploit?

A: Your site is vulnerable to the user registration exploit if you have self-registration enabled in your site. You will be affected by the header fix if you are on a version of Plone older than 4.x. You will be affected by the Kupu fix if you have Kupu installed. All sites are vulnerable to the cross-site scription (XSS) issue fixed in the URLTool.

Q: How do I know if my site has already been exploited?

A: If you are seeing hundreds of fake user registrations in your site in a very short period of time, your site was most likely exploited.

Q: How can I confirm that the hotfix is installed correctly and my site is protected?

A: On startup, the hotfix will log a number of messages to the Zope event log that look like this::

2015-09-10 03:20:08 INFO Products.PloneHotfix20150910 Applied addMember patch

The exact list of patches attempted depends on the version of Plone. If a patch is attempted but fails, it will be logged as a warning that says "Could not apply". This may indicate that you have a non-standard Plone installation.

Q: How can I report problems installing the patch?

A: Contact the Plone security team at security@plone.org, or visit the #plone channel on freenode IRC.

Q: How can I report other potential security vulnerabilities?

A: Please email the security team at security@plone.org rather than discussing potential security issues publicly.

Q: How do I get help patching my site?

A: The Six Feet Up developers stand ready to assist you. Simply contact support@sixfeetup.com. We will assist clients in the order that requests are received.