[Framework-Team] Re: FW: Plone site compromise epidemic!

Alec Mitchell apm13 at columbia.edu
Fri Sep 15 00:24:59 UTC 2006 

To say these sites are "compromised" is a bit extreme.  People who
were allowed to create profiles (i.e. this only happens to sites where
anybody can join) could take advantage of a minor XSS vulnerability to
seed google requests.  Additionally there was a apparently more common
avenue of attack for sites where normal self-joining users could add
content, whereby they could put arbitrary html in a File object and
have it render inline, scripts and all (which has more potential for
danger, as the portrait issue was manily visible only for search
engines).  These issues are both fixed.  In the end the abuse is only
a tiny bit more significant than the ubiquitous forum and blog spam
found all over the web.

Alec

On 9/14/06, Alexander Limi <limi at plone.org> wrote:
> It has been fixed, that's what the 2.5.1 and 2.1.4 releases were about.
>
> Full instructions are here:
> http://plone.org/documentation/how-to/clean-up-link-spam-on-your-site
>
> -- Alexander
>
> On Thu, 14 Sep 2006 16:54:25 -0700, Alan Runyan
> <alan at enfoldsystems.com> wrote:
>
> >
> >
> >  Alan Runyan
> >  Enfold Systems, Inc.
> >  http://www.enfoldsystems.com/
> >  phone: +1.713.942.2377x111
> >  fax: +1.832.201.8856
> >
> >
> > -----Original Message-----
> > From: Sean Duffy [mailto:swduffy at unmc.edu]
> > Sent: Wednesday, September 13, 2006 10:45 AM
> > To: runyaga at plone.org
> > Subject: Plone site compromise epidemic!
> >
> > Hi,
> >
> > I have seen a recent flood of compromised Plone sites.
> >
> > A Google search for the terms plone_memberdata and viagra:
> >
> > http://www.google.com/search?q=portal_memberdata+viagra
> >
> > generates over half a million hits.  Someone should look into changing
> > the 'out of the box' security settings & set up some hotfixes.
> >
> > Help!
> >
> > Sean
> >
> > stuffduff at cox.net
> > swduffy at unmc.edu
> >
>
>
>
> --
> _____________________________________________________________________
>
>       Alexander Limi · Chief Architect · Plone Solutions · Norway
>
>   Consulting · Training · Development · http://www.plonesolutions.com
> _____________________________________________________________________
>
>        Plone Co-Founder · http://plone.org · Connecting Content
>    Plone Foundation · http://plone.org/foundation · Protecting Plone
>
>
>
> _______________________________________________
> Framework-Team mailing list
> Framework-Team at lists.plone.org
> http://lists.plone.org/mailman/listinfo/framework-team
>

More information about the Framework-Team mailing list