Plone Hotfix CVE-2008-0164 (May 13, 2008)

This update protects security sensitive forms in Plone from cross site request forgery (CSRF) attacks. The hotfix only applies to Plone 3.0.x — Plone 3.1.x or later have this built-in, and do not need this hotfix installed. If you have older releases that you can't upgrade, please read about available workarounds.

For additional information about this project, please visit the overview page .

Available downloads

PloneHotfix-CVE-2008-0164.tar.gz

For all platforms (0 KB)

Release Notes

Tested with Plone 3
State Final release
License GPL
Release Manager Andreas Zeidler

This update protects security sensitive forms in Plone from cross site request forgery (CSRF) attacks.

Adrian Pastor from security firm ProCheckUp Ltd reported that Plone is vulnerable to the cross site request forgery class of attacks. CSRF attacks work against people with a valid session on a Plone site: an attacker can — by tricking them (or their browser) to make an HTTP request to the site — use their active session and change security sensitive settings such as the users email address.

A framework to protect Plone against CSRF attacks has been developed in the form of PLIP 224 for Plone 3.1 and is available for Plone 3.0 via Plone Hotfix CVE-2008-0164. For older versions of Plone (i.e. the 2.x and 1.0 series), please upgrade. If you are unable to upgrade, see the Temporary Workaround section below.

This issue has been assigned CVE-2008-0164.

Affected versions

All Plone releases are affected.

Plone 3.1 and later includes a fix for this issue, and does not need this hotfix.

Installing the hotfix

If you are using Plone 3.0.x you can download and install Plone Hotfix CVE-2008-0164. The hotfix can be installed as a normal Plone product:

  • Verify the md5 hash of the hotfix package — it should be "c81bd88cbf555ccfba8fc695173bf505"
  • Extract it in the Products directory of your Zope instance
  • Restart Zope
  • Go to the 'Add-on Products' panel in the Plone Site Setup
  • Install the hotfix product

Uninstalling the hotfix

  • Remove 'PloneHotfixCVE20080164' from the Products directory of your Plone instance
  • Restart Zope

Temporary workaround

If you can't upgrade your sites to the latest version of Plone yet, there are some simple steps you can take to make sure you are not affected by this vulnerability.

The most important thing to understand is that this vulnerability is not remotely exploitable — i.e. it requires you to take a particular action, and a targeted attack for you to be exposed. Thus, you can make sure you are not affected by this quite easily:

Only log in as the administrator user when you really need to, and log out when you are done. Do not visit untrusted web sites (especially in other tabs of the same browser) while you are logged in to your Plone site as an administrator. Try to limit browsing of untrusted sites even when you are logged in as a normal user.

As long as you do not visit other sites while operating your Plone site, this vulnerability cannot affect you. Plone has built-in protection against this since version 2.1 for the Plone site itself, so you only need to worry about visiting non-Plone sites that do not filter out malicious HTML. (But double check that you haven't manually turned off HTML filtering in your site to allow risky HTML like forms and Javascript).

If your habit is to browse your site logged in as an administrator, we encourage you to create a normal user for this instead, and only use the admin account when you really need to.

The real fix is of course to upgrade Plone to the latest release as soon as possible.

For developers

  • Wikipedia has an article explaining how CSRF works.
  • Since this type of attack is on the rise in web applications in general, Plone now includes protection for it in its core.
  • See the plone.protect and plone.keyring modules for making use of this in your own applications.

Reported incidents

No incidents of this vulnerability being exploited have been reported.

References

CVE
CVE-2008-0164