Zope 2

Page Template source not protected adequately

Bug #978980 reported by Richard Mitchell
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Fix Released
Medium
Tres Seaver
Zope 2 2.12.27
Zope CMF buildout
Triaged
Low
Unassigned

Bug Description

Both Products.PageTemplate.ZopePageTemplate.ZopePageTemplate and Products.CMFCore.FSPageTemplate.FSPageTemplate have the following unprotected attributes which provide access to the template source:

'source_dot_xml',
'source.xml',
'source.html'

These are publishable to any user, without any authentication.

e.g. http://www.plone.org/login_form/source_dot_xml

I had a go at CVSSing this, though it's my first time so might be worth checking...

CVSS Base Score
  5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Impact Subscore
  2.9
Exploitability Subscore
  10
CVSS Temporal Score
  Undefined
CVSS Environmental Score
  3.9 (CDP:N/TD:ND/CR:L/IR:ND/AR:ND)
Overall CVSS Score
  3.9

 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N/CDP:N/TD:ND/CR:L/IR:ND/AR:ND)

To put a smile on your face, the 'Src' class, an instance of which is assigned to these attributes, has the ironic docstring:
""" I am scary code """

Hanno Schlichting (hannosch)
Changed in zope2:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Matthew Wilkes (matthew-matthewwilkes) wrote :

Environmental scores aren't set by the vendor:

CVSS Base Score
      5
Impact Subscore
      2.9
Exploitability Subscore
      10
CVSS Temporal Score
      Undefined
CVSS Environmental Score
      Undefined
Overall CVSS Score
      5

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

When we release patches that gets multiplied by 0.74 for the temporal score, but the base score is almost always 5.

Revision history for this message
Matthew Wilkes (matthew-matthewwilkes) wrote :

For the record, the CWE identifier is CWE-540 "Information Exposure Through Source Code"

Revision history for this message
Tres Seaver (tseaver) wrote :

While I agree that the behavior you describe exists, I'm not sure why it is classified as a security vulnerability worthy of a CVE: what information do you imagine is being disclosed? Surely the same argument could be made for "disclosing" the rendered HTML, too.

FWIW, this behavior is a designed-in feature of ZPT, present from the very earliest checkin.

Changed in zope2:
importance: Medium → Low
Revision history for this message
Tres Seaver (tseaver) wrote :

If / when a new version of Zope is released, fixing this in the base ZopePageTemplate class, the fix will propagate to the CMF's FSPageTemplate class without changes.

Changed in zope-cmf:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Tres Seaver (tseaver) wrote :

FWIW, the attached patch protects the 'Src' class with the 'View managment screens' permission.

Revision history for this message
Tres Seaver (tseaver) wrote :

Changes ready to push to 2.12 and 2.13 branches and the trunk.

Changed in zope2:
assignee: nobody → Tres Seaver (tseaver)
importance: Low → Medium
milestone: none → 2.12.27
Hanno Schlichting (hannosch)
Changed in zope2:
status: Confirmed → Fix Released
Revision history for this message
Richard Mitchell (mitchellrj) wrote :

In reply to Tres' comment of 7 months ago (sorry!) the security risk is that proprietary code could be exposed, this code having been created with the assumption that its source would not be revealed.

I'm not saying it's good or even common practice, but I've seen code with API keys and other privileged information kept in TTW Zope objects before now.

Tres Seaver (tseaver)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.