Bug 366901 - (CVE-2007-5741) CVE-2007-5741 plone: python code injection via pickle cookie
CVE-2007-5741 plone: python code injection via pickle cookie
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20071104,pu...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-05 10:42 EST by Tomas Hoger
Modified: 2014-11-07 10:40 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-06 09:08:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Plone hotfix (4.58 KB, application/x-gzip)
2007-11-05 10:43 EST, Tomas Hoger
no flags Details

  None (edit)
Description Tomas Hoger 2007-11-05 10:42:10 EST
A vulnerability was discovered in the statusmessages and linkintegrity
modules, where unsafe network data was interpreted as python pickles. This
allowed an attacker to run arbitrary python code within the Zope/Plone
process.
Comment 1 Tomas Hoger 2007-11-05 10:43:34 EST
Created attachment 248361 [details]
Plone hotfix
Comment 2 Tomas Hoger 2007-11-05 10:49:44 EST
Some Plone components are shipped in conga - luci.  Module statusmessages seems
to be included.

James, can you please confirm whether conga packages are affected by this issue?
 Thanks!
Comment 3 Ryan McCabe 2007-11-05 11:25:52 EST
Hi, we're (luci) not affected by this. We broke this functionality on purpose.
Even though the code is shipped with luci because of dependencies, the code path
can (AFAICS) never be tripped, as we've stripped down the default page templates
substantially. Confirm by trying something like
https://<luci_server_host>:8084/luci/homebase?portal_status_message=NOTHING_HERE_TO_SEE

We'll upgrade to the latest versions of Zope and Plone for the next version we
ship, though, to be safe.
Comment 4 Jim Parsons 2007-11-05 12:06:57 EST
Ryan is spot on with his comment above. Thanks, Ryan.
Comment 5 Mark J. Cox (Product Security) 2007-11-06 09:10:00 EST
Now public at
http://plone.org/about/security/advisories/cve-2007-5741/
removing embargo

Note You need to log in before you can comment on or make changes to this bug.