Plone › Announce

Plone Security Advisory: Password Reset Tool

1 message Options
Embed this post
Permalink
Announce mailing list () Plone Security Advisory: Password Reset Tool
Reply Threaded More More options
Print post
Permalink
Summary
=======
A potential security vulnerability was discovered as part of the recent  
security audit done in preparation for the 2.5.1 release. Any site running  
Plone 2.5 should upgrade to the latest version of PasswordResetTool. Plone  
2.1.x and 2.0.x are not affected.

This vulnerability has been submitted as CVE-2006-4247 to the common  
vulnerabilities database.


Vulnerability details
=====================
An erroneous security declaration could potentially allow a person that is  
sufficiently familiar with Zope to request a password reset for a given  
user, and give him the possibility to intercept this request to change the  
password for that user.


Affected versions
=================
Only the versions of Plone that ship with PasswordResetTool older than  
0.4.1 are affected:

   * Plone 2.5
   * Plone 2.5.1 Release Candidate

Installers for all later releases include a fix for this problem.

Plone versions 1.0.x, 2.0.x and 2.1.x are NOT affected unless you have  
separately installed Password Reset Tool 0.4.0 or earlier.


Installing a fix
================
The vulnerability can be fixed by making sure you are running version  
0.4.1 or later of the Password Reset Tool product. Plone 2.5.1 final will  
ship with this included, in the meantime we suggest that you update the  
component manually.

     * Download PasswordResetTool:
       http://plone.org/about/products/passwordresettool
     * Delete the existing PasswordResetTool folder in your installation
     * Replace it with the new version you just downloaded
     * (Re)start your Plone instance.


Known Exposure
==============
No known cases of this happening to existing sites are known.

 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Plone-Announce mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-announce
Free Embeddable Forum Powered by Nabble Help