14 Jun 2021

feedPlanet Plone - Where Developers And Integrators Write

PLONE.ORG: Security patch 20210518 version 1.4 released

This is a routine patch. There is no evidence that the issues fixed here are being used against any sites.

Version 1.4 of the hotfix is available from:

This version is a recommended upgrade for all users.

See the original 20210518 hotfix announcement

From the changelog:

1.4 (2021-06-08)

  • Use safe html transform instead of escape for richtext diff. Otherwise the inline diff is not inline anymore.
    (Note: I forgot to add this to the changelog on PyPI/plone.org).
  • With PLONEHOTFIX20210518_NAMEDFILE_USE_DENYLIST=1 in the OS environment, use a denylist for determining which mimetypes can be displayed inline. By default we use an allowlist with the most used image types, plain text, and PDF. The denylist contains svg, javascript, and html, which have known cross site scripting possibilities.
  • By popular request, allow showing PDF files inline. Note: browser preference plays a part in what actually happens.
  • In untrusted path expressions with modules, check that each module is allowed. In the first version of the hotfix we disallowed modules that were available as a 'private' alias, for example random._itertools. But if random.itertools without underscore would have been available, it was still allowed, even though itertools has not been explicitly allowed. (itertools might be fine to allow, it is just an example.)

14 Jun 2021 4:11pm GMT

04 Jun 2021

feedPlanet Plone - Where Developers And Integrators Write

PLONE.ORG: Plone Powers a New Registration Portal

Challenge

The Open University of the University of Jyväskylä in Finland faced a daunting challenge: With a robust offering of international studies courses and a student audience beyond the usual set of university enrollees, registration needed to be faster, less complicated, and more flexible. For example :

  • Students from countries other than Finland needed a flexible authentication protocol
  • Students part-way through the registration process needed to get quickly back to the place where they had stopped
  • Coursework needed to be quickly and easily browsable, and purchase through university systems needed to be seamless
  • Course administrators needed a system where course listings could be updated with ease
  • Every step of the process needed to be loggable so that administrators could identify choke points and eliminate them

Solution

The development team at the University of Jyväskylä drew upon the strong core foundation of Plone to handle the all-essential data storage and management in a secure and accessible framework. Using Plone's modern RestAPI, the team was able to integrate, first, a wicked fast front end for managing data entry and browsing. Next, they used similar APIs to link to university systems for payment, user management, and the learning management system involved in course delivery. The ReactJS-based Volto front end (which will be standard on Plone 6) made dedicated and custom layouts very easy for the developers to create and even easier for administrators to add, edit, and organize.

One last integration using the RestAPI addressed the logging challenge. The team incorporated an open-source business process management tool, BPMN, into the platform to provide a window on every transaction, including how long each registration required and when and where registration ran into trouble.

Continuous improvement of the Plone framework has resulted in a fast, easy-to-use front end that editors love, deeply integrated with Plone's highly secure CMS backend built on Python and Zope. Based on Plone's unbeatable security record, the team knew they could trust the data to be safe. What's more, the framework's granular permission management was harnessed to allow teachers to access some areas, while students only got to see their own dashboard.

Feedback

User feedback has been overwhelmingly positive from both teachers and students at Open University. Problems with the identification and registration process have diminished greatly and, surprisingly, this had the side effect of improving the atmosphere in the courses.

More Information

Visit the English language version of the portal.

Read a technical blog post about the business process management integration.

04 Jun 2021 3:55pm GMT

18 May 2021

feedPlanet Plone - Where Developers And Integrators Write

PLONE.ORG: Security patch released 20210518

This is a routine patch with our standard 14 day notice period. There is no evidence that the issues fixed here are being used against any sites.

CVE numbers: CVE numbers have been assigned; see the individual pages.

Versions Affected: All supported Plone versions (4.3.20 and any earlier 4.3.x version, 5.2.4 and any earlier 5.x version).

Versions Not Affected: None.

Nature of vulnerabilities:

The patch will address several security issues:

  • Remote Code Execution via traversal in expressions. Reported by David Miller.
  • Writing arbitrary files via docutils and Python Script. Reported by Calum Hutton.
  • Various information disclosures: mostly installation logs. Reported by Calum Hutton.
  • Stored XSS from file upload (svg, html). Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke.
  • Reflected XSS in various spots. Reported by Calum Hutton.
  • XSS vulnerability in CMFDiffTool. Reported by Igor Margitich.
  • Stored XSS from user fullname. Reported by Tino Kautschke.
  • Blind SSRF via feedparser accessing an internal URL. Reported by Subodh Kumar Shree.
  • Server Side Request Forgery via event ical URL. Reported by MisakiKata and David Miller.
  • Server Side Request Forgery via lxml parser. Reported by MisakiKata and David Miller.

Thank you to all who contacted the Plone security team to report problems!

Version support: The hotfix is officially supported by the Plone security team on the following versions of Plone in accordance with the Plone version support policy: 4.3.20, 5.0.10, 5.1.7, 5.2.4. Previous versions, like 4.2, could be affected but have not been tested. On such old versions, the hotfix might have worse side effects than what it tries to fix.

The fixes included here will be incorporated into subsequent releases of Plone, so Plone 5.2.5 and greater should not require this hotfix.

Warning: The hotfix has not been tested with Python 2.6. Originally Plone 4.3 was supported on Python 2.6, but since a few releases this is no longer the case since. It gets ever more difficult to test on Python 2.6. By now, you may have trouble installing any package with Python 2.6.

The patch was released at 2021-05-18 15:00 UTC.

Installation

Full installation instructions are available on the HotFix release page.

Standard security advice

  • Make sure that the Zope/Plone service is running with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories. Plone sites installed through our installers already do this.
  • Use an intrusion detection system that monitors key system resources for unauthorized changes.
  • Monitor your Zope, reverse-proxy request and system logs for unusual activity.
  • Make sure your administrator stays up to date, by following the special low-volume Plone Security Announcements list via email, RSS and/or Twitter

These are standard precautions that should be employed on any production system, and are not tied to this fix.

Extra Help

If you do not have in-house server administrators or a service agreement for supporting your website, you can find consulting companies at plone.com/providers

There is also free support available online via the Plone forum and the Plone chat channels.

Q: When will the patch be made available?
A: The Plone Security Team released the patch at 2021-05-18 15:00 UTC.

Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be unpacked into the products folder of a buildout installation (for Plone 5.1.x and earlier only) and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.

Q: How were these vulnerabilities found?
A: The vulnerabilities were found by users submitting them to the security mailing list.

Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all administrators at the same time. There are no exceptions.

Q: If the patch has been developed already, why isn't it made available to the public now?
A: The Security Team is still testing the patch against a wide variety of configurations and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.

Q: How does one exploit the vulnerability?
A: This information will not be made public until after the patch is made available.

Q: Is my Plone site at risk for this vulnerability? How do I know if my site has been exploited? How can I confirm that the hotfix is installed correctly and my site is protected?

A: Details about the vulnerability will be revealed at the same time as the patch.

Q: How can I report other potential security vulnerabilities?

A: Please email the Plone Security Team at security@plone.org rather than publicly discussing potential security issues.

Q: How can I apply the patch without affecting my users?

A: Even though this patch does NOT require you to run buildout, you can run buildout without affecting your users. You can restart a multi-client Plone install without affecting your users; see http://docs.plone.org/manage/deploying/processes.html

Q: How do I get help patching my site?

A: Plone service providers are listed at plone.com/providers There is also free support available online via the Plone forum and the Plone chat channels

Q: Who is on the Plone Security Team and how is it funded?

A: The Plone Security Team is made up of volunteers who are experienced developers familiar with the Plone code base and with security exploits. The Plone Security Team is not funded; members and/or their employers have volunteered their time in the interests of the greater Plone community.

Q: How can I help the Plone Security Team?

A: The Plone Security Team is looking for help from security-minded developers and testers. Volunteers must be known to the Security Team and have been part of the Plone community for some time. To help the Security Team financially, your donations are most welcome at http://plone.org/sponsors

General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums If you have specific questions about this vulnerability or its handling, contact the Plone Security Team at security@plone.org

To report potentially security-related issues, email the Plone Security Team at security@plone.org We are always happy to credit individuals and companies who make responsible disclosures.

Information for Vulnerability Database Maintainers

We will apply for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) will be available at the full vulnerability list.

18 May 2021 10:00am GMT