Plone arbitrary code execution
Description
A critical remote code execution vulnerability exists in Zope versions 2.12.x and 2.13.x that allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability can be exploited by sending a specially crafted HTTP request to the affected Zope or Plone instance, allowing the attacker to run commands with the same privileges as the web application service.
Versions Affected: Plone 4.0 (through 4.0.9), Plone 4.1, Plone 4.2 (alpha 1 and alpha 2), Zope 2.12.x, and Zope 2.13.x.
Versions Not Affected: Plone installations running on Zope versions other than 2.12.x and 2.13.x.
Remediation
Apply the official Plone Hotfix 20110928 (released October 4, 2011) immediately to all affected installations. Follow these steps to remediate:
1. Download the Plone Hotfix 20110928 from the official Plone website
2. Install the hotfix package in your Plone instance following the included installation instructions
3. Restart your Zope/Plone service to activate the hotfix
4. Verify the hotfix is properly installed by checking your instance's installed products
5. Consider upgrading to a newer, supported version of Plone and Zope that is not affected by this vulnerability
As a temporary mitigation if immediate patching is not possible, restrict network access to the Plone/Zope instance using firewall rules to allow only trusted IP addresses until the hotfix can be applied.