Products.cmfplone: Security issues in the background

Created on 10 Nov 2020 · 7Comments · Source: plone/Products.CMFPlone

Hi, I found several security issues in the background, please pay attention to deal with it

address: https://www.misakikata.com/codes/plone/python-en.html

bug blocker confirmed

Source

MisakiKata

👀2

All 7 comments

Thanks for the report.
But next time, can you contact the Plone Security Team via [email protected]? See also https://plone.org/security/report
I have just now added a new issue template to make this clearer. You can see this when trying to create a new issue.

I have mailed the issue link to them (I am on the team as well).

Seems you need an account for all the points you raise, and mostly at least the Site Administrator role, at least in default Plone without add-ons. So that is a big hurdle. Still, this does not look good, and we should fix this.

mauritsvanrees on 10 Nov 2020

👍1

Thanks for your report!

Some first checks:

SSRF - Tracebacks are only visible with Manager role. Otherwise generic error message w/o exposed information is shown.
XXE 1 - Feature only available with Manager role: https://github.com/plone/plone.app.registry/blob/master/plone/app/registry/browser/configure.zcml#L23
XXE 2 - This one is protected by plone.schemaeditor.ManageSchemata. The permission is only declared and never applied to any role. Thus it is only available to the Manager role.

jensens on 10 Nov 2020

@mauritsvanrees @jensens
Sorry, when I looked up the submission method on the official website, I saw that the report error pointed to GitHub, so I thought I needed to submit it in the issue, and thank you for your feedback and processing.

MisakiKata on 11 Nov 2020

I think I have fixed all affected packages. PRs are linked above. I have made releases of all of them:

plone.app.event 3.2.10
plone.app.theming 4.1.6
plone.app.dexterity 2.6.8
plone.supermodel 1.6.3

These will be in Plone 5.2.3, which has been "soft released".
@MisakiKata I have mentioned you in the release notes.

At least one add-on is also affected, and it may have more impact there, because you don't need the Manager role to be able to use this. I have made releases of that as well: collective.easyform 1.0a4, 2.2.1, 3.0.5.

Thanks again for reporting this! We appreciate this.

mauritsvanrees on 17 Nov 2020

🎉1

@mauritsvanrees @jensens
Sorry, when I looked up the submission method on the official website, I saw that the report error pointed to GitHub, so I thought I needed to submit it in the issue, and thank you for your feedback and processing.

Hi @MisakiKata – thank you for reporting this issue! I am interested in improving our website and links. Can you tell me where you saw the submission method on our official website? On the plone.org's footer it says "Report bugs in Plone", which links to https://plone.org/support/bugs, on which the first paragraph has instructions on how to report security issues, i.e. using the [email protected] email address.