CVE-2010-2422: HTML injection in safe_html

by Matthew Wilkes — last modified Jul 02, 2010 09:52 AM

This update fixes a flaw in Plone's HTML filtering that allows arbitrary code to be injected into pages.

Update: we now have an official CVE number: CVE-2010-2422

The fix is included in an update of PortalTransforms.

Alan Hoey of Team Rubber found a bug in the html filtering of all Plone versions. Users who can create content can exploit this flaw to circumvent the normal HTML filtering.

This issue has been assigned the number CVE-2010-2422.

Affected versions

All Plone releases since 2.1 are affected.

Installing the hotfix

Installation for Plone 2.1 - 3.1 users

To install this hotfix download and unzip the distribution and add the directory PloneHotfix20100612 to your instance products directory. If the hotfix has been successfully added you will see the following message when starting the instance in foreground mode:

2010-06-12 23:54:28 INFO PloneHotfix20100612 safe_html patched

Installation for Plone 3.2 and 3.3 users

Although this hotfix will work with any version of Plone, users of Plone 3.2 to Plone 3.3.5 should instead add the following to their buildout configuration files and re-run buildout:

[versions]
Products.PortalTransforms = 1.6.12

There will be no confirmation message on start-up, so the presence of the fix can be verified by checking the version number of PortalTransforms in the Zope Control Panel.

Reported incidents

No incidents of this vulnerability being exploited have been reported.

References

CVE: CVE-2010-2422.