Non-image member portraits

by Wichert Akkerman — last modified Oct 02, 2006 12:08 PM

Plone did not verify if member portraits were real images. This allowed users to upload, for example, html pages to sites where they would otherwise not be able to create content.

Vulnerability details

Spammers have been using this vulnerability to insert spam into Plone sites which allow member registration. For more information on this and how to remove spam please see the clean up link spam on your site how-to.

Affected versions

All Plone versions are affected:

All Plone 2.0 versions
Plone 2.1 up to version 2.1.3
Plone 2.5 up to version 2.5

If you are running Plone 2.0 there is an unofficial backport of the security fixes available, but it requires that PIL is already installed on the server. Plone 2.0.x did not ship with PIL, so you have to make sure that it is installed on your server's Python install for this to work.