Bug 366901 (CVE-2007-5741) - CVE-2007-5741 plone: python code injection via pickle cookie
Summary: CVE-2007-5741 plone: python code injection via pickle cookie
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2007-5741
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-05 15:42 UTC by Tomas Hoger
Modified: 2021-11-12 19:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-06 14:08:48 UTC


Attachments (Terms of Use)
Plone hotfix (4.58 KB, application/x-gzip)
2007-11-05 15:43 UTC, Tomas Hoger
no flags Details

Description Tomas Hoger 2007-11-05 15:42:10 UTC
A vulnerability was discovered in the statusmessages and linkintegrity
modules, where unsafe network data was interpreted as python pickles. This
allowed an attacker to run arbitrary python code within the Zope/Plone
process.

Comment 1 Tomas Hoger 2007-11-05 15:43:34 UTC
Created attachment 248361 [details]
Plone hotfix

Comment 2 Tomas Hoger 2007-11-05 15:49:44 UTC
Some Plone components are shipped in conga - luci.  Module statusmessages seems
to be included.

James, can you please confirm whether conga packages are affected by this issue?
 Thanks!


Comment 3 Ryan McCabe 2007-11-05 16:25:52 UTC
Hi, we're (luci) not affected by this. We broke this functionality on purpose.
Even though the code is shipped with luci because of dependencies, the code path
can (AFAICS) never be tripped, as we've stripped down the default page templates
substantially. Confirm by trying something like
https://<luci_server_host>:8084/luci/homebase?portal_status_message=NOTHING_HERE_TO_SEE

We'll upgrade to the latest versions of Zope and Plone for the next version we
ship, though, to be safe.

Comment 4 Jim Parsons 2007-11-05 17:06:57 UTC
Ryan is spot on with his comment above. Thanks, Ryan.

Comment 5 Mark J. Cox 2007-11-06 14:10:00 UTC
Now public at
http://plone.org/about/security/advisories/cve-2007-5741/
removing embargo


Note You need to log in before you can comment on or make changes to this bug.