Plone Hotfix CVE-2011-0720 (Feb 08, 2011)

Apply to Plone 4.x series <= 4.0.3, 3.x series <= 3.3.5, 2.5.x series, 2.1, 2.0. Blocks an escalation of privileges attack.

For additional information about this project, please visit the overview page .

Available downloads

PloneHotfix20110720-1.2.tar.gz

For all platforms (0 KB)

PloneHotfix20110720-1.2.zip

For all platforms (0 KB)

Release Notes

Tested with Plone 4, Plone 3, Plone 2.5, Plone 2.1, Plone 2.0
State Final release
License GPL

See http://plone.org/products/plone/security/advisories/cve-2011-0720 for additional background on this hotfix.

Installation instructions

The procedure for installing Hotfix CVE-2011-0720 differs slightly based on what version of Plone you are running, and whether you installed Plone using Buildout.

Backup First!

It is prudent to backup all of your data and installation files before installing any Plone add-on, including this hotfix.  If you already have a solid Plone backup routine in place, then you can skip this step and proceed.

If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.

Recommended Install Procedure

If you're less experienced with Plone, the easiest way to install Hotfix CVE-2011-720 on Plone 2.5 - Plone 4 is as follows:

1) Download the hotfix archive using the link above.  If you have an md5 tool available (Linux or Mac) check the signature matches

MD5 (PloneHotfix20110720-1.2.zip)
edc482a3480088c55d8a44744725b11b
MD5 (PloneHotfix20110720-1.2.tar.gz)
f8ec98673e3a1e872088f92f39fb7949

2) Place the downloaded zip file into the "products" directory in your Zope instance.

3) Unpack the tarball.

On Linux or Mac, the command is:

 $ unzip PloneHotfix20110720-1.2.zip

On Windows, use your favorite archiving product.  (7Zip is a good choice.)

4)  Restart your Zope instance in foreground mode to ensure that the hotfix is installed.

On Mac or Linux, the command is typically:

 $ bin/instance fg

On Windows, the command is typically:

> bin\instance.exe fg

Plone 2.5 users on Windows may need to use the alternative command:

 > bin\runzope.bat

Zope will start in the foreground, and you should see the message "INFO PloneHotfix20110720 Hotfix installed. " during startup.

5) Stop the foreground instance of Zope by hitting CTRL-C

6) Restart your Zope instance.

On Mac or Linux, the command is typically:

$ bin/instance start

On Windows, the command is typically:

> bin\instance.exe start

 

 

Installing with Buildout

If you are an experienced Plone administrator, and you are using a Buildout-based installation of Plone, you may choose to install Hotfix CVE-2011-0720 with Buildout. However, if you choose to do this, you must be certain that you will not accidentally overwrite Plone components with newer versions.  This is particularly likely if you try to use Buildout with Plone 2.5, Plone 3 or Plone 3.1.

If you are not sure what you're doing, please use the "Recommended Installation Instructions" above.

1) Find your buildout.cfg file, typically located in the "zinstance" subdirectory of your Plone installation directory.
2) Open your buildout.cfg file in your favorite text editor.
3) Scroll down to the "eggs" section of the buildout and add Products.PloneHotfix20110720, e.g.

[buildout]
...
eggs = 
    Products.PloneHotfix20110720

4) Rerun buildout.

On Mac or Linux, the command is:

$ ./bin/buildout -Nv

On windows, the command is:

> bin\buildout.exe -Nv

5) Restart your Zope instance.

On Mac or Linux, the command is:

$ ./bin/instance start

On Windows, the command is:

> bin\instance.exe start

Alternatively, on Windows, you may restart the Zope service via the Windows Services control panel.

After installation

To ensure that no one took advantage of the security vulnerability before your site was patched you should audit your site.

If someone used the security vulnerability to create unauthorized users this might be difficult to spot, especially for sites with a lot of users and sites where any one can sign up. To make this easier follow the steps bellow and use the log analyzing tool that came with the patch.

Analyze your site logs using the logchecker script. If the tool indicates that an escalation of privileges attack may have occurred you are strongly recommended to audit the users in your site. Although the tool was written to err on the side of caution it’s not a guarantee that it will find attempted attacks, so it is a good idea for everyone to do the audit.

Check list of all users with administration privileges.

As the flaw allows attackers to create new users accounts you should go through all users in your site that have administrator privileges in the user settings section of the Plone control panel to ensure that there are not any new admins present.

Check list of all users

Someone can have created a user that is not an administrator but that has just enough privileges to cause damage or get unauthorized information. It is therefore important that you also check all your users. They can also have changed the password for a user, so it is important to ensure that your content editors can still log in.

Change your admin password

Attackers may have used the flaw to generate a fake login cookie for a user in your site, most likely an administrator.  Changing the admin passwords will render these cookies unusable.

Change log

1.2 - Fixes for sites that were broken because they relied on local assignment of the Manager role. If you successfully installed 1.0 or 1.1 and have not experienced issues, you do not need 1.2.

1.1 - Fixes for a very small number of users on Zope 2.10.8.  If you successfully installed 1.0 you do not need 1.1.

1.0 - Initial release