Security fix for image_view_fullscreen: cache poisoning

See also CMFPlone security advisory on GitHub.

Plone is vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish.
The technique is known as cache poisoning.
Any later visitor can get redirected when clicking on a link on this page.
Usually only anonymous users are affected, but this depends on your cache settings.

All Plone versions are vulnerable, at least Plone 4.3 and higher (we did not check older versions). It depends on your Plone version and the Image content type which package is vulnerable: Products.CMFPlone, plone.app.contenttypes or Products.ATContentTypes.

The Plone Security Team has released fixes for Plone 5.2:

  • plone.app.contenttypes 2.2.3 (see advisory)
  • Products.ATContentTypes 3.0.6 (see advisory. If you are on Python 3 you will not be using this package.

and for Plone 6:

  • plone.app.contenttypes 3.0.0a9 (see advisory)

Today, Plone 5.2.7 and 6.0.0a3 have been released with these updated packages. Separate announcements will follow.

Workaround

For all affected Plone versions, with or without a fixed package, the following workaround is available:

Make sure the image_view_fullscreen page is not stored in the cache. In Plone:

  • Login as Manager and go to Site Setup.
  • Go to the 'Caching' control panel. If this does not exist, or 'Enable caching' is not checked, you should normally not be vulnerable.
  • Click on the tab 'Caching operations'.
  • Under 'Legacy template mappings' locate the ruleset 'Content item view'.
  • From the last column ('Templates') remove 'image_view_fullscreen'.
  • Click on Save.

Reporter

This vulnerability was responsibly disclosed to the Plone Security Team by Gustav Hansen, F-Secure Consulting. Thank you!

For more information

If you have any questions or comments about this advisory, email us at security@plone.org
This is also the correct address to use when you want to report a possible vulnerability.
See our security report policy.

To answer one question already: why not a hotfix package?
Since the fix is in a Page Template, and not in Python code, our usual way of fixing this in a special hotfix package was not viable.

6 Likes

i'm wondering if this applies to plone 4.3 sites too?

(up until now all hotfixes still also addressed this version, although officially not supported anymore)

thanks for your reply @mauritsvanrees

Yes, this is also a vulnerability on Plone 4.3 (and likely on older versions as well.
On 4.3, 5.0, 5.1 you can apply the workaround. Well, on 5.2 and 6.0 too, if you don't want to install new packages.
I have made this more clear (I hope) by editing the above post.
After "All Plone versions are vulnerable" I have added: "at least Plone 4.3 and higher (we did not check older versions)."

BTW, a different workaround is to locate the vulnerable template, customise it, and fix it there. Depending on version and package, this can be done in portal_skins/custom or portal_view_customizations.

1 Like