PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1) has a potential
vulnerability that allows a user to masquerade as a group. Please update
your sites.
Affected versions:
* Plone 2.5
* Plone 2.5.1
Plone versions 1.0.x, 2.0.x and 2.1.x are NOT affected unless you have
separately installed PlonePAS and have not configured a prefix property on
the source_groups plugin.
This vulnerability only applies to sites which allow member registration
to anonymous users.
Installing the hotfix
If Plone 2.5.2 is not released by the time you read this, or you can not
upgrade your Plone, you can install Plone Hotfix 2006-10-31. The hotfix
can be installed as a normal Zope product:
* Extract it in the Products directory of your Zope instance
* Restart Zope
* Verify that the hotfix is listed in the product management page in
the Zope Control Panel
The hotfix can be downloaded here:
http://plone.org/products/plone-hotfix/releases/20061031Reported incidents:
No incidents of this happening to sites in the wild have been reported.
On behalf of the Plone Team,
Alexander Limi
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________
Plone-Announce mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-announce
