Security: PlonePAS user/group fix (CVE-2006-4249)
This issue has been assigned CVE-2006-4249
- Plone 2.5
- Plone 2.5.1
Plone versions 1.0.x, 2.0.x and 2.1.x are NOT affected unless you have separately installed PlonePAS and have not configured a prefix property on the source_groups plugin.
This vulnerability only applies to sites which allow member registration to anonymous users.
Installing the hotfix
If Plone 2.5.2 is not released by the time you read this, or you can not upgrade your Plone, you can install Plone Hotfix 2006-10-31. The hotfix can be installed as a normal Zope product:
- Extract it in the Products directory of your Zope instance
- Restart Zope
- Verify that the hotfix is listed in the product management page in the Zope Control Panel
No incidents of this happening to sites in the wild have been reported.