Minor Plone Security Fixes

The Plone Security Team has released new versions of several packages. These new versions remedy several security-related issues, none of which were significant enough to warrant a full security hotfix.

Issues and version updates are detailed below. You may use the new versions in your Plone installation by adding “pinning” version numbers to your buildout.

The new versions include releases of Pillow (provided by the Pillow security team) and PloneFormGen (provided by the PloneFormGen maintainers).

Plone release

  • All fixes mentioned below in the other packages, are included in new Plone releases.  So if you can update your site in the normal way to one of these versions, that is best.  Please apply the normal procedures you use for updating your site.  This should include testing the upgrade on a copy of your site.
  • Exception: Products.PloneFormgen is an add-on that is not included in the core versions of Plone.  You need to update this explicitly.
  • Plone 4.2 or earlier: no new versions list is made available.
  • Plone 4.3: extend http://dist.plone.org/release/4.3.10/versions.cfg or use the installer.
  • Plone 5.0: extend http://dist.plone.org/release/5.0.5/versions.cfg or use the installer.

plone.app.discussion

  • Nature of vulnerability: Cross Site Scripting (XSS) attack on comment moderation page.
  • Affected: this only affects you if you have enabled commenting, and have enabled comment moderation, and are using plain text or intelligenttext as comment format.  The only spot where you are vulnerable, is on the comment moderation page.  So regular visitors of your site have nothing to fear.  If you have enabled anonymous commenting, this attack is open for anyone, which makes this the most serious one.
  • Workaround: Switch to MarkDown or html as comment format.  Because existing comments may still be affected: use the moderation options on the page where the comment appears.  Or use the moderation page with javascript turned off.
  • Plone 4.0 or earlier: not affected, because plone.app.discussion is not included in the core.
  • Plone 4.1, 4.2: use plone.app.discussion 2.1.2
  • Plone 4.3: use plone.app.discussion 2.2.18
  • Plone 5.0: use plone.app.discussion 2.4.16

Products.CMFPlone (1)

  • Nature of vulnerability: exposing properties of the site to anonymous users.  We mean properties from the Properties tab in the Zope Management Interface, or from the portal_properties tool.
  • Affected: this affects everyone.  In standard Plone nothing very interesting can be seen.  But if you have an add-on or own code that stores a secret key here, anonymous users can view this.
  • Workaround: do not use the properties to store info that needs to remain secret.  The configuration registry is a much better place for this.
  • Plone 4.2 or earlier: no fix is issued.
  • Plone 4.3 or earlier: use Products.CMFPlone 4.3.10
  • Plone 5.0: use Products.CMFPlone 5.0.5

Products.CMFPlone (2)

  • Nature of vulnerability: Cross Site Scripting (XSS) attack in any field that uses the select2 pattern.  By default these are the contributors, creators, and tag fields.
  • Affected: this affects you if untrusted or compromised users can create or edit content.  You are only vulnerable when editing content.
  • Workaround: use the edit pages with javascript turned off (which admittedly is not nice).
  • Plone 4.3 or earlier: not affected
  • Plone 5.0: use Products.CMFPlone 5.0.5

mockup

  • This is the same vulnerability as in Products.CMFPlone (2).  The mockup package is only used when you are compiling javascript resources in the new resource registries control panel.
  • Plone 4.3 or earlier: not affected
  • Plone 5.0: use mockup 2.1.5

plone.app.event

  • Nature of vulnerability: Cross Site Scripting (XSS) attack in location field of Events.
  • Affected: this affects you if untrusted or compromised users can create or edit Events.
  • Note: these are the dexterity events.  Plone 4 does not ship with this, but you may have added it.
  • Plone 4.2 or earlier: plone.app.event is not used by default.  If you do use it, you probably know what you are doing.
  • Plone 4.3: use plone.app.event 1.1.6 (if your site uses this package).  Note: if you had custom code to override the `get_location` view helper method to return html, this no longer works.  For plain text it still works fine, but the `get_location` method is gone in version 2.0, for simplicity.  Instead you can override the necessary templates in your add-ons.
  • Plone 5.0: use plone.app.event 2.0.10

plone.app.contenttypes

  • Nature of vulnerability: Cross Site Scripting (XSS) attack in the caption field of the leadimage behavior.
  • Affected: this affects you if untrusted or compromised users can create or edit content.  By default only News Items use the leadimage behavior, but this behavior may have been enabled on other types.
  • Note: this is a package with dexterity content types.  Plone 4 does not ship with this, but you may have added it.  Archetypes News Items are not affected.
  • Note: there is also the collective.contentleadimage package, which does a similar thing for Archetypes content, but this is not affected.
  • Plone 4.2 or earlier: plone.app.contenttypes is not used by default.  If you do use it, you probably know what you are doing.
  • Plone 4.3: use plone.app.contenttypes 1.1.1.  Note that only news items are affected, because the leadimage caption is not shown in the behavior.
  • Plone 5.0: use plone.app.contenttypes 1.2.15

Products.PloneFormGen

  • Nature of vulnerability: The 'help' field of form fields was not HTML escaped, allowing it to be used for an XSS attack.
  • Affected: this only affects you if you allow untrusted or compromised users to create forms.
  • For more info, see https://github.com/smcmahon/Products.PloneFormGen/blob/master/CHANGES.txt
  • On Plone 4.1 and higher, update to Products.PloneFormGen 1.7.19.
  • On Plone 5.0 and higher, update to Products.PloneFormGen 1.8.1.

Pillow

  • Nature of vulnerability: When an attacker uploads a specially crafted image, the Plone Site may crash.  Theoretically he may get access to other parts of the memory of your machine, due to a buffer overflow.
  • Affected: this only affects you if you allow untrusted or compromised users to upload images.
  • For more info, see http://pillow.readthedocs.io/en/3.2.x/releasenotes/index.html
  • You might be using PIL or PILwoTk instead of Pillow, but they have basically the same problem.
  • On Plone 4.0 and higher, update to Pillow 3.1.2 or 3.2.0.
  • On Plone 3 you need to use Python 2.4, and the latest compatible Pillow version is 1.7.0, which may be vulnerable.  There is no fix here.  Note that both Plone 3 and Python 2.4 are not getting security updates anymore.

Versions

These are the versions that you should update in the `[versions]` section of your buildout.cfg configuration file: 

On Plone 4.0:

Pillow = 3.2.0Products.PloneFormGen = 1.7.19 

On Plone 4.1 and 4.2:

Pillow = 3.2.0plone.app.discussion = 2.1.2Products.PloneFormGen = 1.7.19

On Plone 4.3:

Pillow = 3.2.0plone.app.contenttypes = 1.1.1plone.app.discussion = 2.2.18plone.app.event = 1.1.6Products.CMFPlone = 4.3.10Products.PloneFormGen = 1.7.19

On Plone 5.0:

mockup = 2.1.5Pillow = 3.2.0plone.app.contenttypes = 1.2.15plone.app.discussion = 2.4.16plone.app.event = 2.0.10Products.CMFPlone = 5.0.5Products.PloneFormGen = 1.8.1

Questions and Support

For questions and help with these updates, please see plone.org/support