Security: PlonePAS user/group fix (CVE-2006-4249)

by Alex Limi — last modified Nov 02, 2006 06:03 PM

PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1) has a potential vulnerability that allows a user to masquerade as a group. Please update your sites.

This issue has been assigned CVE-2006-4249

Affected versions

Plone 2.5
Plone 2.5.1

Plone versions 1.0.x, 2.0.x and 2.1.x are NOT affected unless you have separately installed PlonePAS and have not configured a prefix property on the source_groups plugin.

This vulnerability only applies to sites which allow member registration to anonymous users.

Installing the hotfix

If Plone 2.5.2 is not released by the time you read this, or you can not upgrade your Plone, you can install Plone Hotfix 2006-10-31. The hotfix can be installed as a normal Zope product:

Extract it in the Products directory of your Zope instance
Restart Zope
Verify that the hotfix is listed in the product management page in the Zope Control Panel

Reported incidents

No incidents of this happening to sites in the wild have been reported.