Privilege escalation through exposed underlying API

by matthewwilkes — published 2013/12/10 14:48:00 GMT+0, last modified 2016-08-30T16:37:19+00:00
An exposed search API allows privileged section administrators to search for content outside the area they administer.

Versions affected

  • 4.3.2
  • 4.3.1
  • 4.3
  • 4.2.7
  • 4.2.6
  • 4.2.5
  • 4.2.4
  • 4.2.3
  • 4.2.2
  • 4.2.1
  • 4.2
  • 4.1.6
  • 4.1.5
  • 4.1.4
  • 4.1.3
  • 4.1.2
  • 4.1.1
  • 4.1
  • 4.0.10
  • 4.0.9
  • 4.0.8
  • 4.0.7
  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0
  • 3.3.6
  • 3.3.5
  • 3.3.4
  • 3.3.3
  • 3.3.2
  • 3.3.1
  • 3.3

Vulnerability

A subclass of CatalogTool from CMF wraps a subset of the search methods to add permission checks. The unwrapped methods, while not part of the official API, could be used from restricted python to access information without authorisation. Source at: https://github.com/plone/Products.CMFPlone/blob/b08a45bc12b1bd42411f1130a487a7a242349ea0/Products/CMFPlone/CatalogTool.py

Current status

Patched

Credits

Discovered by

  • Richard Mitchell, of the Plone Security Team

Fixed by

  • Matthew Wilkes, of the Plone Security Team

Coordinated by

  • Plone Security Team