You are here: Home / Important Plone Hotfix 20150910

Important Plone Hotfix 20150910

Important to apply Plone Hotfix 20150910 for registration spam and other security issues.

Plone Security Hotfix - After many years of reporting to the Plone folks in IRC and online that there was a serious problem with registration spam on all my Plone sites (~30), and several months working directly with one of their developers to try to stem the tide through adding on the EmailConfirmationRegistration Product: https://github.com/collective/collective.emailconfirmationregistration/issues/3, they finally found/acknowledged there is a deeper problem, and have released a hotfix today that (hopefully) fixes this years-long problem that affects pretty much every version of Plone.

Many thanks to Nathan Van Gheem & Marits Van Rees for having the patience to help finally track this down.

If you are a Plone Admin, grab the hotfix here today: https://plone.org/news/urgent-action-required-plone-security-vulnerability-hotfix-20150910 I just implemented this, and will be monitoring it closely. I will post updates on http://techtalk.hawkenterprising.com
My Love-Hate Relationship with Plone
I have had only two major frustrations with Plone: the registration spam issues, and the upgrade procress. Other than those two (significant) issues, I have been _very_ happy with Plone. They really seem to have fixed the upgrade issues since about version 4.x of Plone, but the spam registration issue has only become worse and worse.
Due to these two issues, I kept trying to abandon Plone. But every other CMS I tried just didn't compare in the rest of the features, ease of use, and security (other than this one big issue). So I have never been able to replace it with something better. I tried more than 20 different platforms and they just didn't compare favorably. So I just kept limping along with the issue.
I first dabbled with Zope (upon which Plone is built upon) in the 90's while working at Franklin Covey. It was a good-enough platform for systems administrators, but not really ready for public consumption by non-techies.
Then Plone was added on top, and after a few years of running on a few pilot sites, I eventually converted all my websites over toe Zope-Plone around 2004 with Plone 2.x. Plone has made it possible for one person to run so many robust community-based websites very easily, with very few security issues, and a very powerful and friendly CMS.
Though some significant growing pains since the 2.x days, they have been doing a great job.
Since they greatly improved the upgrade issues, my only (ongoing) gripe has been the problem with registration spammers, and hopefully that is finally fixed.

This single issue has all but killed off my community-based sites, so for me it has a real show stopper. It finally became so bad that about 2 years ago I had to disable user registration on the all sites, and that effectively killed off those communities, though I still kept posting what I could manually. Hopefully now, if the problem is fixed, these communities can come back to the vibrant life they once were.

For example, merp.com once (back around 2004) had over 1.8 million unique visitors per month, and 18,000+ registered users (not counting the additional 10,000 bogus registration spam users). Merp.com is nearly dead now. Hopefully this can be turned around now.

If you haven't tried Zope-Plone, and assuming the spam registration problem is fixed, I can once again highly recommend you should at least try it out.

Cheers!

-Hawke Robinson

admin
admin says:
Oct 31, 2015 01:25 AM
Well, this hotfix worked for about 5-6 weeks, but last week "they" seem to have figured out how to bypass once again, and directly create bogus accounts without ever going through any valid confirmation process, no matter whether there is captcha, recaptcha v2, norobots, emailconfirmationregistration, etc. They just create bogus accounts, at first just a handful, but soon thereafter by the hundreds/thousands, and then begin using those accounts to spam the sites, backscatter other email addresses and website, and generally do unpleasant things. So once again I am having to disable site self registration on all the sites, except the ones we are testing with honeypots, to try to figure out what is going on. Thankfully someone from the Plone community is helping directly, so we can figure out if this is just something in my setup, or something deeper within Plone. Will report back when have more about fixes.
Hawke Robinson
Hawke Robinson says:
Nov 13, 2015 12:26 PM
Okay, after a few weeks of logging, tweaking, and help from Vangheem, it might actually be a simple solution. Vangheem writes: "It seems that there are problems with acquisition magic and registration.
Acquisition is the process of finding the correct resource to display to
the user. In Plone, it is very generous to try and find the correct
resource to serve.

In this case, you are hosting multiple sites on one server. You can access
a different site from another site. For example:

http://www.northfivemile.com/rpgresearch
is the http://www.rpgresearch.com/ site

and http://www.northfivemile.com/rpgresearch works; however, without all
the customizations for registration that are available on the correct
http://www.rpgresearch.com/ site. So a bot can go to
http://www.northfivemile.com/rpgresearch and create an account no problem.

That's why I was seeing entries in the log for http://www.northfivemile.com
.

This package: https://pypi.python.org/pypi/collective.siteisolation was
created to prevent this behavior.

You can either install that package OR provide rewrite rules on the server
to prevent those urls.
"

I have been seen bounced emails from things like:
http://www.northfivemile.co[…]187a5ad7f28e7?userid=Elvira
Which seems to confirm his hypothesis potentially. So, I am going to go ahead and take the sites offline to run a full backup. Then add the collective.siteisolation product, and see if that solves things. Thanks again ever so much to Vangheem for all the help!
Hawke Robinson
Hawke Robinson says:
Nov 13, 2015 12:47 PM
Heh, and apparently Plone is now easier for snapshot backups than used to be. So won't have to take offline:
Vangheem said: "Just do:

./bin/backup
<modify buildout to add package>
./bin/buildout
./bin/client1 stop
./bin/client1 start
./bin/client2 stop
./bin/client2 start

can even take a client out of load balancing if you do not want any
downtime.

What I will even do is have a test client where I run buildout, start the
test client and make sure everything is good, then restart the other
clients. No downtime and more safe to not bring down production."
Navigation