CVE-2009-0662: Authentication flaw in login form

by Wichert Akkerman last modified Apr 21, 2009 04:10 PM
This update fixes a flaw in the login form handling which allowed authenticated users to assume another identity.

The fix is included in an update of PlonePAS, the Pluggable Authentication System.

Karen Chan of Isotoma Limited found a bug in the login form handling of Plone 3.x. An already authenticated user could exploit this error and assume the identity of another user.

This issue has been assigned CVE-2009-0662.

Affected versions

All Plone 3.x releases are affected.

Plone 2.5 and earlier releases are not affected.

Installing the hotfix

For Plone 3.0.x and 3.1.x

If you are using Plone 3.0.x or 3.1.x you can download and install a new PlonePAS product release. The product can be installed as a normal Plone product:

  • For Plone 3.0 use version 3.2.2 of PlonePAS. Verify the md5 hash of the hotfix package — it should be "f88c542bdf8e22674d284418e58c0da8".
  • For Plone 3.1 use version 3.9 of PlonePAS. Verify the md5 hash of the hotfix package — it should be "9ddc4d9b3505fe71f2c3e17513680c50".
  • Extract it in the Products directory of your Zope instance.
  • Restart Zope

If you're using Plone 3.0 or Plone 3.1 with buildout you can update the productdistros section of your buildout.cfg to download the hotfix for you, as follows:

Plone 3.0:

[productdistros]
recipe = plone.recipe.distros
urls =
    http://plone.org/products/plonepas/releases/3.2.2/PlonePAS-3.2.2.tar.gz
nested-packages =
version-suffix-packages =

Plone 3.1:

[productdistros]
recipe = plone.recipe.distros
urls =
    http://plone.org/products/plonepas/releases/3.9/PlonePAS-3.9.tar.gz
nested-packages =
version-suffix-packages =

For Plone 3.2.x

If you are using Plone 3.2.x you should use the Products.PlonePAS 3.9 egg release. 

With buildout

If you are using buildout you can update the version pin for this package by adding this entry to your buildout.cfg file:

[versions]
Products.PlonePAS = 3.9

If your buildout.cfg already has a "[versions]" part, just add the "Products.PlonePAS = 3.9" line. If there is no "[versions]" section, just add one to the end of your buildout.cfg file.

After making this change you need to stop Zope, run bin/buildout, and restart Zope.

Not using buildout

If you are not using buildout you can use the easy_install command to install an updated version of Products.PlonePAS:

$ easy_install -U Products.PlonePAS==3.9

Restart Zope.

Reported incidents

No incidents of this vulnerability being exploited have been reported.

References

CVE
CVE-2009-0662
Filed under: