Plone's Outstanding Security Track Record: no credible report of a serious vulnerability in Plone being exploited in the wild

The original news release is at https://plone.org/news/plones-outstanding-security-track-record but is reproduced here.

##Plone's Outstanding Security Track Record

No credible report of a serious vulnerability in Plone being exploited in the wild. – published Jan 04, 2017 10:05 PM UTC, last modified Jan 05, 2017 03:26 PM UTC

Plone is an extraordinarily secure content management system, having stood the test of time for 15 years and counting.

Plone's outstanding security track record is a result of many things:

  • good coding practices
  • processes, including continuous integration and testing
  • a proactive security team that performs security reviews, investigates claims and reports of vulnerabilities, and responds appropriately and immediately as necessary

Plone has never received a report of a serious vulnerability in Plone being exploited in the wild.

Security fix announcements are normally issued with two weeks' notice. If the Plone security team were to receive reports of a zero day exploit or vulnerability in the wild, it would release a security fix immediately.

The Plone security team has been aware of a recent claim, has examined it, and has determined that it is a hoax. There is no zero-day flaw in Plone nor in Plone-based distributions.

Information about Plone's security track record and features: https://plone.org/security/track-record

An overview of Plone and its features: https://plone.com

##Details Regarding the Recent Hoax

Some users on Twitter are circulating rumours about a zero day vulnerability in Plone being used to attack the FBI. The Plone Security Team believes that these claims are a hoax. As Plone is open source software, it is easy to fake a screenshot showing Plone’s code. Causing source code to be leaked to the end user is a common form of attack against PHP applications, but as Python applications don’t use the cgi-bin model of execution it has never been a marker of an attack against a Python site.

The only hint he has given to the problem is a tweet saying that access to the “acl_users” directory should be restricted. These pages are used by Plone to prompt the user to log in when they try to access the site administration without authorisation. There is no "acl_users" directory on the machine; this is just part of Plone’s authentication framework.

The hashes he claims to have released display several indicators of being fake. Firstly, the email addresses used match other FBI emails that have been harvested over the years and are publicly available. The password hashes and salts he claims to have found are not consistent with values generated by Plone, indicating they were bulk generated elsewhere.

The bigger scam here is the repeated references to the exploit being for sale, and messages to other Plone users. The so-called "exploit" is for sale on Tor for 8 BTC ($9000 US), but it is not possible to get refunds on such transactions. We don’t believe the FBI is his target; it is more likely that he is using this high profile site as a way of advertising fake exploits for sale. There is no reason to believe that his claims are genuine and we remind all website administrators to be wary of social media users claiming to have bugs for sale.

This is not the first time this person has released information about a hack that later turned out to be fraudulent: in 2012 he provided information about oil companies that was revealed to be fake a week later: http://thenextweb.com/insider/2012/07/19/data-from-the-anonymous-attack-on-oil-companies-may-have-been-faked/

##Quotes

“The aim of releasing information from such a hack is to convince people that you've indeed hacked the target. Claims of hacks that only give information that is publicly available (such as open-source code) or impossible to verify (such as hashed passwords) are common signs of a hoax” – Matthew Wilkes, Plone security team

“It is extremely easy to fake a hack like this. It takes only rudimentary Photoshop skills or use of the Chrome JavaScript developer console.“ – Nathan Van Gheem, Plone security team

“I can say for sure that at least some of the data posted as proof is 100% fake. The hoax was a bit elaborate indeed, but that's it.” – Alexandru Ghica, Eau de Web, maintainer of EU websites that were claimed to be vulnerable

##Technical details

He claims that the server is running FreeBSD ver 6.2-RELEASE. It is extremely unlikely that the FBI would run such an old version of FreeBSD. Moreover, FreeBSD 6.2 provides Python 2.4, with the option of using Python 2.5. Plone does not run on such old versions of Python.

Plone has a backup system to backup the database and these backups do not use a ".bck" extension and are always written into a var directory, not the Plone installation root or any webserver root directory. It would be hard to change this behaviour and there would be no benefit in doing so.

One screenshot shows information about an email, claiming it is part of the FBI’s mail logs. It shows an automatically generated email about a hard drive error. This appears to be his own server’s logs, as although he has modified the name of the server in the log to be an FBI one, he has neglected to change the timezone reported in the emails from Indian Standard Time to Eastern Standard Time.

He references filename enumeration, however Plone does not expose directories through the web like a traditional PHP site does; Plone URLs map either to registered view code or content in the database.

##About Plone

Plone is an extraordinarily secure content management system, having stood the test of time for 15 years and counting without any reports of a serious vulnerability being exploited in the wild. Security fixes are normally issued with two weeks' notice; however, if the Plone security team were to receive reports of a zero day exploit or vulnerability in the wild, it would release a security fix immediately.

2 Likes

Here is a good article covering the back story. The journalist contacted us in our Gitter.im chat room last night.

Plone Foundation Code of Conduct