Plone MembershipTool 访问控制绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110052 漏洞类型 访问验证错误
发布时间 2006-04-12 更新时间 2006-04-12
CVE编号 CVE-2006-1711 CNNVD-ID CNNVD-200604-148
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/27630
https://www.securityfocus.com/bid/17484
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-148
|漏洞详情
Plone2.0.5、2.1.2及2.5-beta1版本不能限制对方法(1)changeMemberPortrait、(2)deletePersonalPortrait和(3)testCurrentPassword的访问。这使得远程攻击者可以修改头像。
|漏洞EXP
source: http://www.securityfocus.com/bid/17484/info

Plone is susceptible to a remote access-control bypass vulnerability. This issue is due to the application's failure to properly enforce privileges to various MembershipTool methods.

This issue allows remote, anonymous attackers to modify and delete portrait images of members. This may help attackers exploit latent vulnerabilities in image-rendering software. Other attacks may also be possible.

curl -F portrait=<path_to_file> --form-string member_id=[username] http://www.example.com/portal_membership/changeMemberPortrait
|受影响的产品
Plone Plone 2.1.2 Plone Plone 2.0.5 Plone Plone 2.0.4 Plone Plone 2.5-beta1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc
|参考资料

来源:svn.plone.org
链接:https://svn.plone.org/svn/plone/PloneHotfix20060410/trunk/README.txt
来源:MISC
链接:http://dev.plone.org/plone/ticket/5432
来源:XF
名称:plone-memberid-data-manipulation(25781)
链接:http://xforce.iss.net/xforce/xfdb/25781
来源:BID
名称:17484
链接:http://www.securityfocus.com/bid/17484
来源:VUPEN
名称:ADV-2006-1340
链接:http://www.frsirt.com/english/advisories/2006/1340
来源:DEBIAN
名称:DSA-1032
链接:http://www.debian.org/security/2006/dsa-1032
来源:SECUNIA
名称:19640
链接:http://secunia.com/advisories/19640
来源:SECUNIA
名称:19633
链接:http://secunia.com/advisories/19633