Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Plone 5.0.5
Fixed in:            Hotfix 20170117
Fixed Version Link:  https://plone.org/security/hotfix/20170117
Vendor Contact:      security@plone.org
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/05/2016
Disclosed to public: 01/26/2017
Release mode:        Coordinated Release
CVE:                 CVE-2016-7147
Credits              Tim Coen of Curesec GmbH

2. Overview

Plone is an open source CMS written in python. In version 5.0.5, the Zope
Management Interface (ZMI) component is vulnerable to reflected XSS as it does
not properly encode double quotes.

3. Details

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: The search functionality of the management interface is vulnerable
to reflected XSS. As the input is echoed into an HMTL attribute, an attacker
can use double quotes to escape the current attribute and add new attributes to
enter a JavaScript context.

Proof of Concept:

http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all&
obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec=
%3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find

4. Solution

To mitigate this issue please apply the hotfix 20170117.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVE
09/06/2016 CVE assigned
09/06/2016 Vendor requests 90 days to release fix
01/10/2017 Contacted Vendor Again, Vendor announces hotfix
01/17/2017 Vendor releases hotfix
01/26/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Plone-XSS-186.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany