Security vulnerability: 20151006 - CSRF

Patches to Zope and Plone for multiple CSRF issues.

Nature of vulnerability: The vulnerability patches multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope Management Interface).

The patch was released on Tuesday, October 6, 2015 at 15:00 UTC and is available from https://pypi.python.org/pypi/plone4.csrffixes

For general information on CSRF vulnerabilities, please see https://en.wikipedia.org/wiki/Cross-site_request_forgery

Affected Versions

All versions of Plone prior to 5.x are vulnerable.

This patch will be compatible with all security supported Plone versions (4.x). Plone 5.x is already protected and does not require this patch.

Nginx/Apache proxy block rules

If you are on versions of Plone prior to 4.x, we recommend that you upgrade or block ZMI access from the public.

Whether you use Nginx or Apache, these rules must appear first; they must come before the “location /” rule.

Use this block rule for Nginx:

location  ~ /manage(_(?!translations).+)?$ {
      deny all;
}

Use this block rule for Apache(2.2 syntax):

RewriteRule ^(.*)/manage(_(?!translations).*)$ - [L,NC]
<LocationMatch "^(.*)/(manage|manage_main|manage(_(?!translations).*))$" >
Order deny,allow
Deny from all
</LocationMatch>

These blocking mechanisms do not entirely eliminate CSRF vulnerabilities, but make them much harder to exploit. Site managers should discipline themselves to use direct access (an ssh tunnel) only temporarily when they need to use the Zope Management Interface.

Firewall

We also recommend that you have a firewall in place that disallows direct access to the ZEO client port(s), e.g. 8080, 8081, and to any ZEO server ports, e.g. 8100.

For more information about using a firewall to protect Plone, please see http://docs.plone.org/manage/deploying/production/ubuntu_production.html#step-8-set-up-a-firewall

About the patch

In order to prevent these CSRF issues, this patch backports to Plone 4.x the new auto CSRF protection framework that is included in Plone 5.

Unlike previous Plone patches, this patch is not a simple product that can be installed without running buildout.

Plone’s CSRF protection works seamlessly on default Plone sites. However, it can be overly aggressive if you are using addons or customizations that include the following:

  • code that is not CSRF protected
  • custom non-jQuery AJAX JavaScript code that is not CSRF protected
  • code that does write-on-read

Once the patch has been applied, Plone may throw errors when it encounters the above.

You will need to append _authenticator values to many URLs to prevent write-on-read errors. For details on how to do this, see https://pypi.python.org/pypi/plone.protect

We advise you to thoroughly test your sites before going live with the patch.

While you are working out the patch’s effect on your site, we strongly recommend you implement the above Nginx and Apache block rules.

The Security Team realizes this patch may be challenging to incorporate into your sites. We have tried hard and worked a long time on this problem to do the best we can to prevent CSRF vulnerabilities.

Please contact Security Team at security@plone.org with your suggestions for improvements that we could incorporate into the patch.

Installation

Full installation instructions are available on the HotFix release page

WARNING: installation of this patch requires running buildout. Other installation methods used with previous patches will not work correctly and will result in errors and/or your site continuing to be vulnerable.

Extra Help

Should you not have in-house server administrators or a service agreement for supporting your website, you can find consulting companies at plone.com/providers and plone.org/support/network

There is also free support available online via Plone mailing lists and the Plone IRC channels.

Questions and Answers

 

Q. What is involved in applying the patch?

A. This patch is made available as a Python package that must be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish, though you should take care to test your site afterwards.

Q: How was this vulnerability found?

A: The majority of issues were found as part of audits performed by the Plone Security team. A subset were reported by users.

Q: Is my Plone site at risk for this vulnerability?

Q: How do I know if my site has been exploited?

There are no known exploits regarding the CSRF issues that have been patched.

Q: How can I confirm that the patch is installed correctly and my site is protected?

A: Ensure that the plone4.csrffixes package is installed on your site. You can tell that it is active if, when you are logged in, you see that edit bar links include _authenticator values in the URL.

Q: How can I report other potential security vulnerabilities?

A: Please email the Plone Security Team at security@plone.org rather than publicly discussing potential security issues.

Q: How can I apply the patch without affecting my users?

A: You can run buildout without affecting your users. You can restart a multi-client Plone install without affecting your users; see http://docs.plone.org/manage/deploying/processes.html  

Q: How do I get help patching my site?

A: Plone service providers are listed at plone.com/providers and plone.org/support/network There is also free support available online via Plone mailing lists and the Plone IRC channels

Q: Who is on the Plone Security Team and how is it funded?

A: The Plone Security Team is made up of volunteers who are experienced developers familiar with the Plone code base and with security exploits. The Plone Security Team is not funded; members and/or their employers have volunteered their time in the interests of the greater Plone community.

 

General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums However, if you have specific questions about this vulnerability or its handling, avoid discussing them publicly; instead, contact the Plone Security Team at security@plone.org

To report potentially security-related issues, email the Plone Security Team at security@plone.org – we are always happy to credit individuals and companies who make responsible disclosures.

Information for Vulnerability Database Maintainers

We will apply for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) will be available at the full vulnerability list.