Plone hotfix 2008-0164Is it possible to perform CSRF attacks on Plone sites with version less than 3.1. We recommend installing the Hotfix if you have a Plone 3.0 site. Plone 3.1 sites and newer are not affected by this exploit.
Sites older than Plone 3 (2.5, 2.0, 1.0 and so on) won't be able to make use of the hotfix; for those we recommend following the temporary workarounds listed on the Hotfix announcement:
We'll be installing the Hotfix for paid support customers where applicable (Plone 3.0 sites).
We are working on a solution for older Plone sites as well, which should give fairly good protection against these kinds of attacks.
Paid support customers with old Plone sites will get this fix we develop installed for free, and other customers will be able to get the fix installed for their site for 1 consulting hour.
[Permalink] [By morphex] [Zope instance management (Atom feed)] [2008 15 May 20:55 GMT+2]