Ticket #5432 (closed Bug: fixed)
Portrait methods lack security declarations or any other security framework
|Reported by:||mj||Owned by:||plonista|
The changeMemberPortrait and deletePersonalPortrait lack security declarations, enabling any anonymous internet user to change and delete portraits on Plone sites at will.
The following curl command would replace the portrait of a Plone.org user with a file chosen by the attacker:
curl -F portrait=@[path_to_file] --form-string member_id=[username] http://plone.org/portal_membership/changeMemberPortrait
Note that *no* credentials are required to accomplish this!
These methods furthermore lack all checks to make sure no portraits are altered by third parties even if security declarations were in place, making it possible for logged-in members to alter portraits of fellow portal members at will even with declarations.
Further risks include the uploading of malicious JPEGs or other images that trigger bugs in Internet Explorer, allowing attackers to abuse Plone sites for the spreading of malware.
- Status changed from new to closed
- Resolution set to fixed
- Milestone changed from 2.5.x to 2.1.3
- Component changed from Login and registration to Infrastructure