[Plone-IT] hotfix

SauZheR sauzher a gmail.com
Mer 7 Nov 2012 11:00:00 UTC


il problema nasce solo se un fileField ha un read_permission pių
restrittivo di quello che vale sul contesto. ad esempio un contenuto
pubblico,  con un fileField disponibile solo ai reviewer.

bye
Il giorno 07/nov/2012 11:32, "Yuri" <yurj a alfa.it> ha scritto:

> Il 07/11/2012 11:29, Vito Falco ha scritto:
>
>> Per chiarimenti sulla questione del BLOB basta chiedere al Sauzher che
>> l'ha "sgamato" :)
>>
>
> C'č un pattern con cui fare grep nei log? Cosė vedo se qualcuno ha tentato
> di farlo :-P
>
>
>>     Information for security researchers
>>     Impact Subscore: 4.9
>>     Exploitability Subscore: 10
>>     Overall CVSS Score: 5
>>     Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P/E:**P/RL:O/RC:C)
>>     CWE: CWE-306
>>     Credit: Alessandro SauZheR
>>
>>
>> Vito
>>
>> 2012/11/7 Yuri <yurj a alfa.it <mailto:yurj a alfa.it>>
>>
>>     http://plone.org/products/**plone/security/advisories/**20121106<http://plone.org/products/plone/security/advisories/20121106>
>>
>>     qui ci sono tutti i problemi fissati dall'hotfix. Alcuni sono
>>     paranoici nei casi normali (quanti utenti reali non sicuri abbiamo
>>     che scrivono python script?), l'unico degno di nota, mi pare, č
>>     questo:
>>
>>     http://plone.org/products/**plone/security/advisories/**20121106/17<http://plone.org/products/plone/security/advisories/20121106/17>
>>
>>     BLOBs stored on custom content types can be accessed through a
>>     non-standard URL, bypassing the declared permission check
>>
>>     Anonymous users can use a crafted URL to illegitimately download
>>     Files and Images.  Thanks to Karl Johan Kleist who found that this
>>     had been incorrectly reported, and let the security team know.
>>
>>     ===============
>>
>>     Penso quindi che l'unico problema "vero" sia questo. Dal fix mi
>>     pare che il field sia accessibile tramite il suo metodo
>>     index_html. Quindi da url web in qualche modo si arriva al field e
>>     da lė il metodo permette di scaricare il file, indipendentemente
>>     dai permessi.
>>
>>     Concordate?
>>
>>     ______________________________**_________________
>>     Plone-IT mailing list
>>     Plone-IT a lists.plone.org <mailto:Plone-IT a lists.plone.**org<Plone-IT a lists.plone.org>
>> >
>>     https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
>>     http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
>> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>
>>
>>
>>
>>
>> --
>> *Vito Falco*
>> Webdeveloper & designer freelance, Plone enthusiast
>> Bari, IT
>> tel +39 3346330137 | skype vito80ba | twitter vito80ba
>> Blog http://appuntiplone.wordpress.**com<http://appuntiplone.wordpress.com><
>> http://appuntiplone.**wordpress.com/ <http://appuntiplone.wordpress.com/>
>> >
>>
>>
>>
>> ______________________________**_________________
>> Plone-IT mailing list
>> Plone-IT a lists.plone.org
>> https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
>> http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
>> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>
>>
>
> ______________________________**_________________
> Plone-IT mailing list
> Plone-IT a lists.plone.org
> https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
> http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>
>
-------------- parte successiva --------------
Un allegato HTML č stato rimosso...
URL: <http://lists.plone.org/pipermail/plone-plone-it/attachments/20121107/d69d2b7f/attachment-0001.html>


Maggiori informazioni sulla lista Plone-IT