Plone Zope SAXutils Command Execution

2012-01-13T00:00:00
ID SAINT:C999148B18225353D8171CA71E6C7429
Type saint
Reporter SAINT Corporation
Modified 2012-01-13T00:00:00

Description

Added: 01/13/2012
CVE: CVE-2011-3587
BID: 49857
OSVDB: 76105

Background

Plone is a free and open source content management system built on top of the Zope application server. Plone can be used for any kind of website, including blogs, internet sites, webshops and internal websites.

Problem

Plone fails to properly sanitize user-supplied input passed to cmd parameter in p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2. This can be exploited to execute arbitrary shell commands.

Resolution

Upgrade to Plone 2.12.20 or 2.13.10 or apply patch Products.Zope_Hotfix_CVE_2011_3587.

References

<http://plone.org/products/plone/security/advisories/20110928>

Limitations

This exploit has been tested against Plone 4.1 on Fedora 13 Linux and Plone 4.0.9 on Ubuntu 10.04 LTS.

Platforms

Windows
Linux
Mac OS X