Plone Hotfix CVE-2008-0164 (May 13, 2008)
This update protects security sensitive forms in Plone from cross site request forgery (CSRF) attacks. The hotfix only applies to Plone 3.0.x — Plone 3.1.x or later have this built-in, and do not need this hotfix installed. If you have older releases that you can't upgrade, please read about available workarounds.
For all platforms (0 KB)
|Tested with||Plone 3|
|Release Manager||Andreas Zeidler|
This update protects security sensitive forms in Plone from cross site request forgery (CSRF) attacks.
Adrian Pastor from security firmreported that Plone is vulnerable to the class of attacks. CSRF attacks work against people with a valid session on a Plone site: an attacker can — by tricking them (or their browser) to make an HTTP request to the site — use their active session and change security sensitive settings such as the users email address.
A framework to protect Plone against CSRF attacks has been developed in the form of PLIP 224 for Plone 3.1 and is available for Plone 3.0 via Plone Hotfix CVE-2008-0164. For older versions of Plone (i.e. the 2.x and 1.0 series), please upgrade. If you are unable to upgrade, see the Temporary Workaround section below.
This issue has been assigned CVE-2008-0164.
All Plone releases are affected.
Plone 3.1 and later includes a fix for this issue, and does not need this hotfix.
Installing the hotfix
If you are using Plone 3.0.x you can download and install Plone Hotfix CVE-2008-0164. The hotfix can be installed as a normal Plone product:
- Verify the md5 hash of the hotfix package — it should be "c81bd88cbf555ccfba8fc695173bf505"
- Extract it in the Products directory of your Zope instance
- Restart Zope
- Go to the 'Add-on Products' panel in the Plone Site Setup
- Install the hotfix product
Uninstalling the hotfix
- Remove 'PloneHotfixCVE20080164' from the Products directory of your Plone instance
- Restart Zope
If you can't upgrade your sites to the latest version of Plone yet, there are some simple steps you can take to make sure you are not affected by this vulnerability.
The most important thing to understand is that this vulnerability is not remotely exploitable — i.e. it requires you to take a particular action, and a targeted attack for you to be exposed. Thus, you can make sure you are not affected by this quite easily:
Only log in as the administrator user when you really need to,
and log out when you are done. Do not visit untrusted web sites
(especially in other tabs of the same browser) while you are logged in
to your Plone site as an administrator. Try to limit browsing of
untrusted sites even when you are logged in as a normal user.
If your habit is to browse your site logged in as an administrator, we encourage you to create a normal user for this instead, and only use the admin account when you really need to.
The real fix is of course to upgrade Plone to the latest release as soon as possible.
- Wikipedia has an article explaining how CSRF works.
- Since this type of attack is on the rise in web applications in general, Plone now includes protection for it in its core.
- See the
plone.keyringmodules for making use of this in your own applications.
No incidents of this vulnerability being exploited have been reported.