CVE-2009-0662: Authentication flaw in login form
The fix is included in an update of PlonePAS, the Pluggable Authentication System.
- Affected Plone versions list
- Instructions for installing the fix on Plone 3.0.x or 3.1.x
- Instructions for Plone 3.2.x
Karen Chan of Isotoma Limited found a bug in the login form handling of Plone 3.x. An already authenticated user could exploit this error and assume the identity of another user.
This issue has been assigned CVE-2009-0662.
All Plone 3.x releases are affected.
Plone 2.5 and earlier releases are not affected.
Installing the hotfix
If you are using Plone 3.0.x or 3.1.x you can download and install a new PlonePAS product release. The product can be installed as a normal Plone product:
- For Plone 3.0 use version 3.2.2 of PlonePAS. Verify the md5 hash of the hotfix package — it should be "f88c542bdf8e22674d284418e58c0da8".
- For Plone 3.1 use version 3.9 of PlonePAS. Verify the md5 hash of the hotfix package — it should be "9ddc4d9b3505fe71f2c3e17513680c50".
- Extract it in the Products directory of your Zope instance.
- Restart Zope
If you're using Plone 3.0 or Plone 3.1 with buildout you can update the productdistros section of your buildout.cfg to download the hotfix for you, as follows:
[productdistros] recipe = plone.recipe.distros urls = http://plone.org/products/plonepas/releases/3.2.2/PlonePAS-3.2.2.tar.gz nested-packages = version-suffix-packages =
[productdistros] recipe = plone.recipe.distros urls = http://plone.org/products/plonepas/releases/3.9/PlonePAS-3.9.tar.gz nested-packages = version-suffix-packages =
If you are using Plone 3.2.x you should use the Products.PlonePAS 3.9 egg release.
If you are using buildout you can update the version pin for this package by adding this entry to your buildout.cfg file:
[versions] Products.PlonePAS = 3.9
If your buildout.cfg already has a "[versions]" part, just add the "Products.PlonePAS = 3.9" line. If there is no "[versions]" section, just add one to the end of your buildout.cfg file.
After making this change you need to stop Zope, run bin/buildout, and restart Zope.
Not using buildout
If you are not using buildout you can use the easy_install command to install an updated version of Products.PlonePAS:
$ easy_install -U Products.PlonePAS==3.9
No incidents of this vulnerability being exploited have been reported.