Ticket #5432 (closed Bug: fixed)
Portrait methods lack security declarations or any other security framework
| Reported by: | mj | Owned by: | plonista |
|---|---|---|---|
| Priority: | critical | Milestone: | 2.1.3 |
| Component: | Infrastructure | Keywords: | security |
| Cc: |
Description
The changeMemberPortrait and deletePersonalPortrait lack security declarations, enabling any anonymous internet user to change and delete portraits on Plone sites at will.
The following curl command would replace the portrait of a Plone.org user with a file chosen by the attacker:
curl -F portrait=@[path_to_file] --form-string member_id=[username] http://plone.org/portal_membership/changeMemberPortrait
Note that *no* credentials are required to accomplish this!
These methods furthermore lack all checks to make sure no portraits are altered by third parties even if security declarations were in place, making it possible for logged-in members to alter portraits of fellow portal members at will even with declarations.
Further risks include the uploading of malicious JPEGs or other images that trigger bugs in Internet Explorer, allowing attackers to abuse Plone sites for the spreading of malware.
Change History
comment:4 Changed 6 years ago by hannosch
- Status changed from new to closed
- Resolution set to fixed
- Milestone changed from 2.5.x to 2.1.3
comment:5 Changed 3 years ago by hannosch
- Component changed from Login and registration to Infrastructure
comment:6 Changed 3 hours ago by maurits
A more complete fix is here: https://github.com/plone/Products.PlonePAS/commit/9cd94fc4faa32bc2061137bd04649250b0c079c5
Hotfix: http://plone.org/products/plonehotfix20060410