Forums / General / eZ Publish security vulnerabilities -- all I hear is silence...

eZ Publish security vulnerabilities -- all I hear is silence...

Author Message

E Gib

Tuesday 22 April 2003 1:41:18 am

Hi Guys,

I've been seriously considering making the move to eZ Publish as my CMS of choice, moving from *Nuke.
I track the security mailing lists and I have noticed that our security researchers have been hard at work breaking many CMS' - *Nuke and eZ included.

What bothers me, though, is the lack of response from eZ systems. No mention on the site of these issues, at all! I'm thinking that the staff at eZ systems are trying to ignore the problem! So what I'd like to know:
* What's happening?
* Why is there no mention on the site of these issues?
* When will you have patches available?

Sources:
========
eZ Publish site.ini Information Disclosure Vulnerability
http://www.securityfocus.com/bid/7347

eZ Publish Multiple Cross Site Scripting Vulnerabilities
http://www.securityfocus.com/bid/7348

eZ Publish Multiple Path Disclosure Vulnerabilities
http://www.securityfocus.com/bid/7349

eZ publish multiple vulnerabilities
http://www.security-corporation.com/index.php?id=advisories&a=016

Cheers,
Erik.

PS. I am looking forward to having an eZ Publish site up and running soon...

Tony Wood

Tuesday 22 April 2003 1:47:26 am

There is a thread on this, and it was discussed.
http://ez.no/developer/ez_publish_3/forum/developer/security

Tony Wood : twitter.com/tonywood
Vision with Technology
Experts in eZ Publish consulting & development

Power to the Editor!

Free eZ Training : http://www.VisionWT.com/training
eZ Future Podcast : http://www.VisionWT.com/eZ-Future

E Gib

Tuesday 22 April 2003 2:19:52 am

My apologies - I totally missed that thread in the developer forum.

But, as the thread stated - security considerations must be more obviously stated - for the less educated :)...

So I can state - based on what I have read - that all issues have been resolved.
Based on this I *retract* the first post.

Tony Wood

Tuesday 22 April 2003 2:41:07 am

When it comes to security, it is always better to ask as all software has security issues :)

I do agree with you, there should be a stepped plan document for securing eZ. This could go from Low, Medium and High levels of security based on your needs, much likke other software.

I would like to see it contain differing types of issues, such as server side, database and client issues and how to resolve them and be accessible to all skill levels.

eZ is a good tool, and I hope your planned implementation goes ahead, and I wish you luck with it.

Tony

Tony Wood : twitter.com/tonywood
Vision with Technology
Experts in eZ Publish consulting & development

Power to the Editor!

Free eZ Training : http://www.VisionWT.com/training
eZ Future Podcast : http://www.VisionWT.com/eZ-Future

Karsten Jennissen

Tuesday 22 April 2003 3:12:26 am

How about setting up a section in the community docs on this?

Karsten

Tony Wood

Tuesday 22 April 2003 4:06:43 am

Good idea.

Tony Wood : twitter.com/tonywood
Vision with Technology
Experts in eZ Publish consulting & development

Power to the Editor!

Free eZ Training : http://www.VisionWT.com/training
eZ Future Podcast : http://www.VisionWT.com/eZ-Future

Jan Borsodi

Tuesday 22 April 2003 6:51:49 am

Thanks for your concern.

We've fixed the exploit for #7348, the search exploit was already fixed and the url exploit is now fixed too.

The two other exploits are based on site setups and cannot be automatically fixed by eZ publish. However we will see if we can make the default setup more secure, ie a .htaccess file (if it can be done) and perhaps renamed .ini files.
The setup and documentation will also be updated.

A new release with these fixed will come "pretty soon", also we will release some patches for this.

--
Amos

Documentation: http://ez.no/ez_publish/documentation
FAQ: http://ez.no/ez_publish/documentation/faq

E Gib

Tuesday 22 April 2003 7:48:16 am

Thanks Jan.
It's nice to know that these problems have been addressed.

But, as already mentioned it'd be great to have a documentation easily available :
a) showing bug/vulnerability fixes
b) securing the default install more [which you have already addressed above]

Keep the good work up. eZ Systems really have brilliant and unique Open Source product here, and I [and many others] really appreciate it and wish to see it grow more.

Scot Wilcoxon

Tuesday 22 April 2003 10:23:43 am

May I suggest a little Apache configuration addition? The php scripts have direct access to the settings files, so there is no need to allow web browser access.

<Directory /var/www/html/ezpublish-3.0-1/settings/>
Order deny,allow
Deny from all
Options None
AllowOverride None
</Directory>

I'll drop this in the previously mentioned security discussion.

Tony Wood

Wednesday 23 April 2003 10:03:16 am

Good idea.

On virtual hosted sites I believe that the rewrite engine will grab everthing anyway. But its belts and braces, so it protects you should you mess up the config in some way.

Tony Wood : twitter.com/tonywood
Vision with Technology
Experts in eZ Publish consulting & development

Power to the Editor!

Free eZ Training : http://www.VisionWT.com/training
eZ Future Podcast : http://www.VisionWT.com/eZ-Future

Karsten Jennissen

Wednesday 23 April 2003 12:28:08 pm

Actually, why not in future releases put the settings directory outside of web root? I remember that with some other scripts (e.g. Phorum), there is one basic setting in webroot which points to the directory where the actual configuration can be found.

Karsten