Plone Zope SAXutils Command Execution

2012-01-13T00:00:00
ID SAINT:9CF5C6C24AE80412715049E11134256A
Type saint
Reporter SAINT Corporation
Modified 2012-01-13T00:00:00

Description

Added: 01/13/2012
CVE: CVE-2011-3587
BID: 49857
OSVDB: 76105

Background

Plone is a free and open source content management system built on top of the Zope application server. Plone can be used for any kind of website, including blogs, internet sites, webshops and internal websites.

Problem

Plone fails to properly sanitize user-supplied input passed to cmd parameter in p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2. This can be exploited to execute arbitrary shell commands.

Resolution

Upgrade to Plone 2.12.20 or 2.13.10 or apply patch Products.Zope_Hotfix_CVE_2011_3587.

References

<http://plone.org/products/plone/security/advisories/20110928>

Limitations

This exploit has been tested against Plone 4.1 on Fedora 13 Linux and Plone 4.0.9 on Ubuntu 10.04 LTS.

Platforms

Windows
Linux
Mac OS X