Urgent Zope Security Hotfix (CVE-2006-3458)

A patch has been created for an Zope vulnerability which affects Plone. Please download and install it.

A information disclosure vulnerability has been discovered in Zope/Plone's handling of reStructuredText content.  Any Plone sites which allows untrusted users to add/edit RestructuredText content are vulnerable to this issue and should apply the hotfix.  For more details see the hotfix README which includes info on applicable Zope versions.

Vulnerability details

reStructuredText supports the raw and include directives. These could be used to expose filesystem content from the Zope server through the Zope and Plone webinterface or to build a recursive include loop which would cause Zope to endlessly consume memory and CPU resources.

This hotfix disables both directives. No Plone functionality is affected by this change.

Affected versions

All current Plone versions are affected:

  • Plone 2.0 up to version 2.0.5
  • Plone 2.1 up to version 2.1.3
  • Plone 2.5 up to version 2.5

Installers for all later release will include a fix for this problem.

Installing the hotfix

This bug can be fixed by installing the Zope 20060706 hotfix. The hotfix can be installed as a normal Zope product:

  • extract it in the Products directory of your Zope instance
  • restart Zope
  • verify that Hotfix_20060705 is listed in the product management page in the Zope control panel