Plone/Zope – spammer havens?

[update 22 Sept 2006 1155AM PDT – I’ve been remiss in noting that Plone has a new release out that fixes this problem and they have instructions on how to clean up the spammer-generated content. I do, however, think that the folks at Plone are being disengeous when they describe the scope of this vulnerability as being limited to high-visibility sites and when they downplay this as a security hole. Guys, if a spammer can upload arbitrary scripts to your site, that’s a security hole.]

This is an open note to the folks on the Plone and Zope projects: I don’t know if this is an exploit you’re aware of, but there’s a script or tool loose in the wild that makes it extremely easy for spammers to generate fake user IDs and bogus content for your systems.

As my regular readers will know, I’m involved with The Mystery of the Haunted Vampire, a quirky horror-ish blog. Lately, I’ve been more of an admin than contributor – and a lot of that has been checking the comment and trackback spam caught by the Askimet WordPress plugin.

So far, we’ve had no false positives and only one or two false negatives, which is definitely a hit ratio I can live with. I click on the “Administer Askimet” tab, give the spam a quick once-over, and select “delete all”. Boom, done. Not that big a deal… But a couple of days ago, something caught my eye – a bit o’ trackback spam that linked to a .edu domain instead of the usual .ru, .nu, .pl, .biz or .info domain.


So I checked it out using a text-only browser that sends a valid referrer-agent string (like IE or Mozilla) but displays the raw HTML and/or JavaScript behind a page. Turns out that the site is a homework/reading forum for a Comp Sci class, and the URL in the spam was a post to the forum that consisted solely of a JavaScript that immediately redirects you to a typical pill-spammer site (Gee, that’s where the .biz was hiding. Imagine that.). Figuring that a federally-funded institution didn’t want to be supporting illegal online pharmacies, I reported it to their helpdesk, and the sites were taken down in a day or two.

Well, yesterday we got another lovely chunk of pill-pushing spammy goodness – and almost every single link was to a .edu URL. We aren’t talking questionable schools, either – these were almost all subdomains on the sites of Ivy League, public Ivy, and Top 10 schools.

Real schools, all really well-known names, all harboring spammer redirects. Whoops.

When I went to look up the contacts for these sites, I noticed they were all running the exact same software: Plone and/or Zope. Plone & Zope are open-source content management systems (CMS isn’t my thing, but it looks like Zope is the foundation that Plone is built upon.) that provide an extensible, flexible framework for, well, community portals – very similar to the Comp Sci portal I initially saw. And every single site that spammer exploited was using pretty damn close to the exact same combination of tools.

So I guess you can also consider this an open note to all those academic and non-profit teams running open-source community portals like Plone: tighten up your security, and make sure you lock the damn site down if it isn’t live. One Ivy League school linked in that spam had thousands of spammer redirects on one of their sites – and it looked like the main site hadn’t been actively used in a couple of years. How’d you like to have Google results for pyramid schemes, skeezy refinance outfits, work at home ripoffs, illegal narcotics, and penis pills associated with your domain?

Yeah, I didn’t think so.

Leave a Reply