Plone CMS: Open Source Content Management

Sections

Personal tools

Log in
Join

You are here: Home → About → Security → Advisories → Non-image member portraits

Log in: Login Name

Password

Cookies are not enabled. You must enable cookies before you can log in.; Forgot your password?; New user?

Document Actions

Non-image member portraits

by Wichert Akkerman — last modified October 2, 2006 - 12:08

Plone did not verify if member portraits were real images. This allowed users to upload, for example, html pages to sites where they would otherwise not be able to create content.

Vulnerability details

Spammers have been using this vulnerability to insert spam into Plone sites which allow member registration. For more information on this and how to remove spam please see the clean up link spam on your site how-to.

Affected versions

All Plone versions are affected:

All Plone 2.0 versions
Plone 2.1 up to version 2.1.3
Plone 2.5 up to version 2.5

If you are running Plone 2.0 there is an unofficial backport of the security fixes available, but it requires that PIL is already installed on the server. Plone 2.0.x did not ship with PIL, so you have to make sure that it is installed on your server's Python install for this to work.

For any issues with the web site functionality, please file a ticket.

Please consult the policy on plone.org content if you want your content published on this site.

Servers and hosting by