Red Hat Bugzilla – Bug 366901
CVE-2007-5741 plone: python code injection via pickle cookie
Last modified: 2014-11-07 10:40:56 EST
A vulnerability was discovered in the statusmessages and linkintegrity
modules, where unsafe network data was interpreted as python pickles. This
allowed an attacker to run arbitrary python code within the Zope/Plone
Created attachment 248361 [details]
Some Plone components are shipped in conga - luci. Module statusmessages seems
to be included.
James, can you please confirm whether conga packages are affected by this issue?
Hi, we're (luci) not affected by this. We broke this functionality on purpose.
Even though the code is shipped with luci because of dependencies, the code path
can (AFAICS) never be tripped, as we've stripped down the default page templates
substantially. Confirm by trying something like
We'll upgrade to the latest versions of Zope and Plone for the next version we
ship, though, to be safe.
Ryan is spot on with his comment above. Thanks, Ryan.
Now public at