Password reset vulnerability (CVE-2006-4247)

The password reset tool product did not have proper security checks for its password reset method, allowing anonymous users to reset any users password through the web. Any site running Plone 2.5 should upgrade to the latest version of Password Reset Tool. Plone 2.1.x and 2.0.x are not affected.

This vulnerability has been assigned CVE id CVE-2006-4247

Vulnerability details

Leon de Heus found an erroneous security declaration which could potentially allow a person that is sufficiently familiar with Zope to request a password reset for a given user, and give him the possibility to intercept this request to change the password for that user.

Affected versions

Only the versions of Plone that ship with Password Reset Tool older than 0.4.1 are affected:
  • Plone 2.5
  • Plone 2.5.1 Release Candidate

Installers for all later releases include a fix for this problem.

Plone versions 1.0.x, 2.0.x and 2.1.x are NOT affected unless you have separately installed PasswordResetTool 0.4.0 or earlier.

Installing a fix

The vulnerability can be fixed by making sure you are running version 0.4.1 or later of the Password Reset Tool product. Plone 2.5.1 final will ship with this included, in the meantime we suggest that you update the component manually.
  • Download Password Reset Tool here
  • Delete the existing PasswordResetTool folder in your installation
  • Replace it with the new version you just downloaded
  • (Re)start your Plone instance.