7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.019 Low
EPSS
Percentile
88.6%
The version of Plone on the remote host fails to require authentication to access several sensitive functions.
Plone is built on top of Zope, which maps Python objects and their methods to URLs. Methods can have security restrictions, such as requiring a login account or a specific privilege level, applied to them to limit access. The installed version of Plone permits access to several methods that allow the adding, deleting, and changing content and users.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(53546);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2011-0720");
script_bugtraq_id(46102);
script_xref(name:"SECUNIA", value:"43146");
script_name(english:"Plone Security Bypass");
script_set_attribute(attribute:"synopsis", value:
"The remote web server has an application that that is affected by a
security bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Plone on the remote host fails to require
authentication to access several sensitive functions.
Plone is built on top of Zope, which maps Python objects and their
methods to URLs. Methods can have security restrictions, such as
requiring a login account or a specific privilege level, applied to
them to limit access. The installed version of Plone permits access
to several methods that allow the adding, deleting, and changing
content and users.");
script_set_attribute(attribute:"see_also", value:"http://plone.org/products/plone/security/advisories/cve-2011-0720");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2011/Apr/293");
script_set_attribute(attribute:"solution", value:
"Apply Plone Hotfix CVE-2011-0720.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/02/02");
script_set_attribute(attribute:"patch_publication_date", value:"2011/02/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:plone:plone");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2011-2022 Tenable Network Security, Inc.");
script_dependencies("plone_detect.nasl");
script_require_keys("www/plone");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("http.inc");
include("misc_func.inc");
include("webapp_func.inc");
# Get details of Plone install.
port = get_http_port(default:80);
install = get_install_from_kb(appname:"plone", port:port, exit_on_fail:TRUE);
dir = install["dir"];
# Try to access a method that should be restricted to privileged, authenticated,
# users.
object = "acl_users";
method = "getUsers";
url = dir + "/" + object + "/" + method;
res = http_send_recv3(
method : "GET",
item : url,
port : port,
exit_on_fail : TRUE
);
# If it's not a Python list, then we can assume it didn't work.
if (!ereg(string:res[2], pattern:"^\[.*\]$"))
exit(0, "The Plone installation at " + build_url(port:port, qs:dir) + " is not affected.");
if (report_verbosity > 0)
{
report =
'\nNessus was able to exploit the issue using the following request :' +
'\n' +
'\n ' + build_url(port:port, qs:url) +
'\n';
if (report_verbosity > 1)
report +=
'\nIt produced the following response :' +
'\n' +
'\n ' + res[2];
security_hole(port:port, extra:report + '\n');
}
else security_hole(port);