Contact Us
Python BlogDjango BlogBig DataSearch for Kubernetes AWS BlogCloud Services


<< All NewsPlone Hotfix 20151006 Released

Plone Hotfix 20151006 Released

October 7, 2015

On October 6th, 2015 the Plone Security Team released a hotfix to address multiple CSRF vulnerability issues in the Zope Management Interface (ZMI):


If you are on versions of Plone prior to 4.x, we recommend that you upgrade or block ZMI access from the public.

Whether you use Nginx or Apache, these rules must appear first; they must come before the “location /” rule.

Use this block rule for Nginx:

location ~ /manage(_.+)?$ {

deny all;


Use this block rule for Apache:

RewriteRule ^(.*)manage(.*) - [L,NC]

<LocationMatch "^/(manage|manage_main|(.*)/manage(.*))" >

Deny from all


While you are working out the patch’s effect on your site, we strongly recommend you implement the above Nginx and Apache block rules.


This hotfix should be applied to the following versions of Plone:

In accordance with the Plone version support policy at, the hotfix is officially supported by the Plone Security Team for the following versions of Plone: 4.1.6, 4.2.7 and 4.3.7. The fixes are already included in the current release of Plone 5.0 and greater will not require this hotfix.


Installation instructions can be found at


Q: Is my Plone site at risk for this exploit?

A: All version of Plone prior to the latest 5.0 release are at risk for this exploit. This patch backports to Plone 4.x the new auto CSRF protection framework that is included in Plone 5.

Q: How do I know if my site has already been exploited?

A: There are no known exploits regarding the CSRF issues that have been patched.

Q: How can I confirm that the hotfix is installed correctly and my site is protected?

A: Ensure that the plone4.csrffixes package is installed on your site. You can tell that it is active if, when you are logged in, you see that edit bar links include `_authenticator` values in the URL.

Q: How can I report problems installing the patch?

A: Contact the Plone security team at, or visit the #plone channel on freenode IRC.

Q: How can I report other potential security vulnerabilities?

A: Please email the security team at rather than discussing potential security issues publicly.

Q: How do I get help patching my site?

A: The Six Feet Up developers stand ready to assist you. Simply contact We will assist clients in the order that requests are received.

Tell us about the goals you’re trying to accomplish.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.