Il 29/09/2011 19:14, Fabrizio Rota ha scritto:
Mi ricorda tanto le scalate di privilegi delle altre volte........

Peggio, con questo esegui comandi come utente plone, come ad esempio cancellare tutto il contenuto delle directory dell'utente plone (e quindi l'istanza).



2011/9/29 Yuri <[email protected] <mailto:[email protected]>>

    oh, no, ancora! :-D

    -------- Messaggio originale --------
    Oggetto:        [Plone-Users] Security Announcement: Severe
    Vulnerability - Patch Pre-Announcement
    Data:   Wed, 28 Sep 2011 13:54:49 -0700
    Mittente:       Steve McMahon <[email protected] <mailto:[email protected]>>
    A:      plone_users <[email protected]
    <mailto:[email protected]>>, Plone Developers
    <[email protected]
    <mailto:[email protected]>>



    During a security audit conducted by a member of the Plone
    Security Team, a severe vulnerability was discovered in Zope
    2.12.x and Zope 2.13.x that allows execution of arbitrary code by
    anonymous users.
    *
    *The vulnerability affects Plone 4.0 (through 4.0.9); Plone 4.1;
    Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x. It allows an
    unauthenticated attacker to employ a carefully crafted web request
    to execute arbitrary commands with the privileges of the
    Zope/Plone service.

    *A patch will be available 2011-10-04, at 15:00 UTC.*

    Please carefully read h
    <goog_188554871>ttp://plone.org/products/plone/security/advisories/20110928
    <http://plone.org/products/plone/security/advisories/20110928> for
    more details.

    *General questions**about this announcement*, Plone patching
    procedures, and availability of support may be addressed to
    thePlone support forums <http://plone.org/support>. If you
    have*specific questions*about this vulnerability or its handling,
    contact thePlone Security Team <mailto:[email protected]
    <mailto:[email protected]>>.

    *To report potentially security-related issues**,*please send a
    mail to the Plone Security Team [email protected]
    <mailto:[email protected]> <mailto:[email protected]
    <mailto:[email protected]>>. The security team is always happy to
    credit individuals and companies who make responsible disclosures.


    _______________________________________________
    Plone-IT mailing list
    [email protected] <mailto:[email protected]>
    https://lists.plone.org/mailman/listinfo/plone-plone-it
    http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html




--
Fabrizio
--------------------
"Life is what happens to you while you're busy making other plans" - J. Lennon

“If you think education is expensive, try ignorance” - D. Bok

Life is like a game of cards. The hand you are dealt is determinism; the way you play it is free will - Jawaharlal Nehru


_______________________________________________
Plone-IT mailing list
[email protected]
https://lists.plone.org/mailman/listinfo/plone-plone-it
http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html

_______________________________________________
Plone-IT mailing list
[email protected]
https://lists.plone.org/mailman/listinfo/plone-plone-it
http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html

Rispondere a