Plone Security Advisory: Password Reset Tool

A potential security vulnerability was discovered as part of the recent security audit done in preparation for the 2.5.1 release. Any site running Plone 2.5 should upgrade to the latest version of Password Reset Tool. Plone 2.1.x and 2.0.x are not affected.

This vulnerability has been submitted as CVE-2006-4247 to the common vulnerabilities database.

Vulnerability details

An erroneous security declaration could potentially allow a person that is sufficiently familiar with Zope to request a password reset for a given user, and give him the possibility to intercept this request to change the password for that user.

Affected versions

Only the versions of Plone that ship with Password Reset Tool older than 0.4.1 are affected:

  • Plone 2.5
  • Plone 2.5.1 Release Candidate

Installers for all later releases include a fix for this problem.

Plone versions 1.0.x, 2.0.x and 2.1.x are NOT affected unless you have separately installed PasswordResetTool 0.4.0 or earlier.

Installing a fix

The vulnerability can be fixed by making sure you are running version 0.4.1 or later of the Password Reset Tool product. Plone 2.5.1 final  ships with this included, in the meantime we suggest that you update the component manually.

  • Download Password Reset Tool here
  • Delete the existing PasswordResetTool folder in your installation
  • Replace it with the new version you just downloaded
  • (Re)start your Plone instance.

Known Exposure

No known cases of this happening to existing sites are known.