CVE-2009-0662: Authentication flaw in login form

by Wichert Akkerman last modified Apr 21, 2009 04:10 PM
— filed under:

This update fixes a flaw in the login form handling which allowed authenticated users to assume another identity.

The fix is included in an update of PlonePAS, the Pluggable Authentication System.

Karen Chan of Isotoma Limited found a bug in the login form handling of Plone 3.x. An already authenticated user could exploit this error and assume the identity of another user.

This issue has been assigned CVE-2009-0662.

Affected versions

All Plone 3.x releases are affected.

Plone 2.5 and earlier releases are not affected.

Installing the hotfix

For Plone 3.0.x and 3.1.x

If you are using Plone 3.0.x or 3.1.x you can download and install a new PlonePAS product release. The product can be installed as a normal Plone product:

  • For Plone 3.0 use version 3.2.2 of PlonePAS. Verify the md5 hash of the hotfix package — it should be "f88c542bdf8e22674d284418e58c0da8".
  • For Plone 3.1 use version 3.9 of PlonePAS. Verify the md5 hash of the hotfix package — it should be "9ddc4d9b3505fe71f2c3e17513680c50".
  • Extract it in the Products directory of your Zope instance.
  • Restart Zope

If you're using Plone 3.0 or Plone 3.1 with buildout you can update the productdistros section of your buildout.cfg to download the hotfix for you, as follows:

Plone 3.0:

[productdistros]
recipe = plone.recipe.distros
urls =
    http://plone.org/products/plonepas/releases/3.2.2/PlonePAS-3.2.2.tar.gz
nested-packages =
version-suffix-packages =

Plone 3.1:

[productdistros]
recipe = plone.recipe.distros
urls =
    http://plone.org/products/plonepas/releases/3.9/PlonePAS-3.9.tar.gz
nested-packages =
version-suffix-packages =

For Plone 3.2.x

If you are using Plone 3.2.x you should use the Products.PlonePAS 3.9 egg release. 

With buildout

If you are using buildout you can update the version pin for this package by adding this entry to your buildout.cfg file:

[versions]
Products.PlonePAS = 3.9

If your buildout.cfg already has a "[versions]" part, just add the "Products.PlonePAS = 3.9" line. If there is no "[versions]" section, just add one to the end of your buildout.cfg file.

After making this change you need to stop Zope, run bin/buildout, and restart Zope.

Not using buildout

If you are not using buildout you can use the easy_install command to install an updated version of Products.PlonePAS:

$ easy_install -U Products.PlonePAS==3.9

Restart Zope.

Reported incidents

No incidents of this vulnerability being exploited have been reported.

References

CVE
CVE-2009-0662

caveat!

Posted by Sean Fulmer at Apr 22, 2009 12:23 PM
There's currently a problem with the python-openid package that might prevent you from re-running buildout after pinning the Products.PlonePAS version at 3.9. To work around it, pin python-openid at 2.2.1, eg:

[versions]
python-openid = 2.2.1
Products.PlonePAS = 3.9

Fixed.

Posted by Erik Rose at Apr 22, 2009 11:46 PM
This is fixed now. Re-run your buildouts!

Re: Fixed.

Posted by Sean Fulmer at Apr 22, 2009 11:49 PM
Good to know! I un-pinned python-openid and my buildout re-buildouted without a complaint :)

Not a big deal for WebServerAuth users, probably

Posted by Erik Rose at Apr 22, 2009 11:49 PM
If you're using WebServerAuth and not telling users their in-Plone passwords, you're probably in the clear on this one. If I read the changeset correctly, this can only be exploited if someone first logs in via the __ac cookie (that is, via in-Plone authentication) and then changes the username they send in the request. Of course, admins who know their in-Plone passwords to access the root-level ZMI can masquerade as other users, but they can do what they want in any case.

Actually a deal of some kind

Posted by Erik Rose at Apr 23, 2009 07:57 PM
Okay, apparently the vulnerability is in effect whenever you can POST to the login form while authenticated, so versions of WebServerAuth before 1.2 don't keep you safe. 1.2 and later, however, shadow the built-in login form, so they should keep you in the clear. To be extra safe, you can go ahead and install the new PlonePAS as well. Thanks to Wichert for clearing this up!

LDAP Problems?

Posted by David Breitkreutz at Apr 23, 2009 05:06 AM
My site's authentication via LDAP (and plone.app.ldap and associated parts) works fine with PlonePAS 3.7 but stops working with the installation of this patch.

The auth seems to be okay (a 'Welcome! You are now logged in' message appears) but the user remains logged out.

Normal Plone and Zope root users are unaffected, and nothing else has changed (with the exception of a new python-openid to the latest version.

Ideas/solutions?

How to tell if site successfully patched:

Posted by Jason Hare at May 04, 2009 01:51 PM
I ran the buildout version of the patch on my dev server.

I added at the end of buildout.cfg

[versions]
Products.PlonePAS = 3.9

Shell seemed to take awhile but then updated all of the instances of the site and only reported some Lynx errors (not running lynx so I expected this)

I see there is a product in eggs:

products.plonepas-3.9-py2.4.egg

I can also paste in the output of my shell - this is the first time I am using buildout so I just wanted to be sure I installed it right before I do this on my production box.