Plone Security Advisory: Password Reset Tool
A potential security vulnerability was discovered as part of the recent security audit done in preparation for the 2.5.1 release. Any site running Plone 2.5 should upgrade to the latest version of Password Reset Tool. Plone 2.1.x and 2.0.x are not affected.
This vulnerability has been submitted as CVE-2006-4247 to the common vulnerabilities database.
An erroneous security declaration could potentially allow a person that is sufficiently familiar with Zope to request a password reset for a given user, and give him the possibility to intercept this request to change the password for that user.
Only the versions of Plone that ship with Password Reset Tool older than 0.4.1 are affected:
- Plone 2.5
- Plone 2.5.1 Release Candidate
Installers for all later releases include a fix for this problem.
Plone versions 1.0.x, 2.0.x and 2.1.x are NOT affected unless you have separately installed PasswordResetTool 0.4.0 or earlier.
Installing a fix
The vulnerability can be fixed by making sure you are running version 0.4.1 or later of the Password Reset Tool product. Plone 2.5.1 final ships with this included, in the meantime we suggest that you update the component manually.
- Download Password Reset Tool here
- Delete the existing PasswordResetTool folder in your installation
- Replace it with the new version you just downloaded
- (Re)start your Plone instance.
No known cases of this happening to existing sites are known.