20161129

Fixes various XSS and open redirection vulnerabilities

Available downloads

PloneHotfix20161129-1.2.zip

MD5: f78c6a6fb79421e5e05dc83cceebd191
SHA1: 1fe5909e22f6ba2a29712ec4c80725a33bcc6cd2
For all platforms (7364 bytes)

Plone affected versions

  • 5.1a2
  • 5.1a1
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 4.3.11
  • 4.3.10
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.2
  • 4.3.1
  • 4.3
  • 4.2.7
  • 4.2.6
  • 4.2.5
  • 4.2.4
  • 4.2.3
  • 4.2.2
  • 4.2.1
  • 4.2
  • 4.1.6
  • 4.1.5
  • 4.1.4
  • 4.1.3
  • 4.1.2
  • 4.1.1
  • 4.1
  • 4.0.10
  • 4.0.9
  • 4.0.8
  • 4.0.7
  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0
  • 3.3.6
  • 3.3.5
  • 3.3.4
  • 3.3.3
  • 3.3.2
  • 3.3.1
  • 3.3
  • 2.5.5

Release Notes

CVE numbers not yet issued.

Versions Affected: All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version). Previous versions could be affected but have not been fully tested.

Versions Not Affected: None.

Nature of vulnerability: the patch will address an (XSS) vulnerability and unauthorized privilege escalations.

Version support: The hotfix is officially supported by the Plone security team on the following versions of Plone in accordance with the Plone version support policy: 4.0.10, 4.1.6, 4.2.7, 4.3.11 and 5.0.6. However, it has also received some testing on older versions of Plone.

The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.3.12, 5.0.7 and greater should not require this hotfix.

Applied patches

Not all patches need to be applied in all Plone versions.

If you are using a version of Plone that does not have plone.app.discussion (commenting) installed, the "comments" patch will not be applied.

Required manual step

If you have enabled commenting on your Plone site, you will also need to apply an additional manual step.

The security issue about comments on private documents needs a change in the Plone configuration. You need to login as Manager and call /@@apply-hotfix20161129 on the root of the Plone site. This will display a form. Click the button on the form and Plone will make a change in the workflow of comments, and reindex the security settings of comments.

Additional Patches

  • Related: a vulnerability in DTML was discovered that could allow Cross Site Scripting attacks (XSS). This vulnerability is *not* fixed by this hotfix, because this was not possible. An exploit is hard: an attacker would need to enter a character that cannot normally be entered on a keyboard. On Plone 4.1 and higher, you should use DocumentTemplate 2.13.3, which was released today. On Plone 4.0 and lower, DocumentTemplate was included in the Zope2 code, which will not get an updated release.
  • The Zope Security Team fixed an issue where quoting of a SQL string could fail. The ZSQLMethods product is available in all Plone sites, but no core code uses it. An exploit is hard: an attacker would need to enter a character that cannot normally be entered on a keyboard. On Plone 4.0 and higher, you should use Products.ZSQLMethods 2.13.5, which was released a few weeks ago. On Plone 3.3 and lower, Products.ZSQLMethods was included in the Zope2 code, which will not get an updated release.

To include these versions, you should add them in the versions section of your buildout:

[versions]
DocumentTemplate = 2.13.3
Products.ZSQLMethods = 2.13.5

This should be fine, also if your version of Plone does not actually use these separate packages.

 

Installation instructions

The procedure for installing Hotfix 20161129 differs slightly based on which version of Plone or Zope you are running, and whether you installed Plone or Zope using buildout.

Backup First!

It is prudent to backup all your data and installation files before installing any Plone add-on, including this hotfix.  If you already have a solid Plone backup routine in place, then you can skip this step and proceed.

If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.

Recommended Install Procedure

If you're less experienced with Plone, the easiest way to install Hotfix 20161129 on Plone 4.0 - Plone 5.x is as follows:

1) Download the hotfix archive using the link above.  If you have an md5 tool available (Linux or Mac), use it to check that the signature matches.

2) Place the downloaded zip file into the "products" directory in your Zope instance. On pre-buildout installations, this will be "Products".

3) Unpack the zip file.

On Linux or Mac, the command is:

 $ unzip PloneHotfix20161129-1.2.zip

On Windows, use your favorite archiving product. (7Zip is a good choice).

4)  Restart your Zope instance in foreground mode to ensure that the hotfix is installed.

On Mac or Linux, the command is typically:

 $ bin/instance fg

On Windows, the command is typically:

> bin\instance.exe fg

Zope will start in the foreground, and you should see the message "INFO PloneHotfix20161129 Hotfix installed." during startup.

5) Stop the foreground instance of Zope by hitting CTRL-C

6) Restart your Zope instance.

On Mac or Linux, the command is typically:

$ bin/instance start

On Windows, the command is typically:

> bin\instance.exe start

If you're using ZEO clients, change instance to client1, client2, etc., in the above commands.

 

Installing with Buildout

If you are an experienced Plone administrator, and you are using a buildout-based installation of Plone, you may choose to install Hotfix 20161129 with buildout. However, if you choose to do this, you must be certain that you will not accidentally overwrite Plone components with newer versions.  This is particularly likely if you try to use buildout with older versions of Plone.

If you are not sure what you're doing, please use the "Recommended Installation Instructions" above.

1) Find your buildout.cfg file, typically located in the "zinstance" subdirectory of your Plone installation directory. (If you're using ZEO clients, the subdirectory may be called "zeoserver").

2) Open your buildout.cfg file in your text editor. 

3) Scroll down to the "eggs" section of the buildout and add Products.PloneHotfix20161129, e.g.

[buildout]
...
eggs = 
    Products.PloneHotfix20161129

[versions]
Products.PloneHotfix20161129 = 1.2

4) Rerun buildout.

On Mac or Linux, the command is:

$ ./bin/buildout -Nv

On windows, the command is:

> bin\buildout.exe -Nv

5) Restart your Zope instance.

On Mac or Linux, the command is:

$ ./bin/instance start

On Windows, the command is:

> bin\instance.exe start

Alternatively, on Windows, you may restart the Zope service via the Windows Services control panel.

If you're using ZEO clients, change instance to client1, client2, etc., in the above commands.

 

Installation continued

On startup, the hotfix will log a number of messages to the Zope event log. You can use this to confirm the patch is successfully installed. They look like this:

2016-11-29 07:55:56 INFO Products.PloneHotfix20161129 Applied publishing patch
2016-11-29 07:55:56 INFO Products.PloneHotfix20161129 Applied copy patch
2016-11-29 07:55:56 INFO Products.PloneHotfix20161129 You should call /@@apply-hotfix20161129 on all Plone Sites that have comments enabled.
2016-11-29 07:55:56 INFO Products.PloneHotfix20161129 Applied comments patch
2016-11-29 07:55:56 INFO Products.PloneHotfix20161129 Hotfix installed

Issues fixed