Writing arbitrary files via docutils and Python Script

Versions affected

  • 5.2.4
  • 5.2.3
  • 5.2.2
  • 5.2.1
  • 5.2.0
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.1.7
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.10
  • 5.0.1
  • 5.0
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.20
  • 4.3.2
  • 4.3.19
  • 4.3.18
  • 4.3.17
  • 4.3.15
  • 4.3.14
  • 4.3.12
  • 4.3.11
  • 4.3.10
  • 4.3.1
  • 4.3

Vulnerability

By creating a Python Script that calls the ReStructuredText transform with special keyword arguments, you could write to arbitrary files on disk, and probably also read from them. Note that by default you need the Manager role to be able to add Python Scripts. Plone 5 was found vulnerable, but depending on which docutils version you have, Plone 4 may also be vulnerable.

Current status

Hotfixed

Credits

Discovered by

  • Calum Hutton

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team