Ticket #5432 (closed Bug: fixed)

Opened 10 years ago

Last modified 4 years ago

Portrait methods lack security declarations or any other security framework

Reported by: mj Owned by: plonista
Priority: critical Milestone: 2.1.3
Component: General Version: 4.1
Keywords: security Cc:


The changeMemberPortrait and deletePersonalPortrait lack security declarations, enabling any anonymous internet user to change and delete portraits on Plone sites at will.

The following curl command would replace the portrait of a Plone.org user with a file chosen by the attacker:

curl -F portrait=@[path_to_file] --form-string member_id=[username] http://plone.org/portal_membership/changeMemberPortrait

Note that *no* credentials are required to accomplish this!

These methods furthermore lack all checks to make sure no portraits are altered by third parties even if security declarations were in place, making it possible for logged-in members to alter portraits of fellow portal members at will even with declarations.

Further risks include the uploading of malicious JPEGs or other images that trigger bugs in Internet Explorer, allowing attackers to abuse Plone sites for the spreading of malware.

Change History

comment:2 Changed 10 years ago by shh

Fixed on 2.0 branch: r9512

Fixed on 2.1 branch: r9513

comment:3 Changed 10 years ago by shh

Fixed on trunk: r9514

comment:4 Changed 10 years ago by hannosch

  • Status changed from new to closed
  • Resolution set to fixed
  • Milestone changed from 2.5.x to 2.1.3

comment:5 Changed 7 years ago by hannosch

  • Component changed from Login and registration to Infrastructure

comment:7 Changed 4 years ago by maurits

  • Version set to 4.1
  • severity set to Untriaged

The fix is available in Products.PlonePAS 4.0.11 (Plone 4.1.4).

That does give a slight regression, as reported by Serhat in the plone-users mailing list today. When the portrait field is enabled on the registration form and someone uploads a portrait there, you get an Unauthorized exception.

Fixed in  https://github.com/plone/Products.PlonePAS/commit/d9caecf453f8a95a4e775fe990304303544134a0

comment:8 Changed 4 years ago by davisagli

  • Component changed from Infrastructure to General
Note: See TracTickets for help on using tickets.