Thursday 25 March 2010 9:55:45 am - 19 replies

Introduction

Today was released the EZSA-2010-001 security advisory, fixing a remote vulnerability in eZ Search. Please read carefully.

» Read full blog post

Author Message

Xavier Serna

Thursday 25 March 2010 11:10:02 am

Hi Nicolas, please can you give us some more info about this issue? Exploiting this bug the eZ instances can be blocked, or data can be modified, restricted data could be fetched in search results?

thanks in advance,

--
Xavier Serna
eZ Publish Certified Developer
Departament de Software
Microblau S.L. - http://www.microblau.net
+34 937 466 205

Robin Muilwijk

Thursday 25 March 2010 12:09:37 pm

Hi Nicolas,

With "3.7 to 4.2", does that mean it includes any version of 4.2 also? That require the patch?

Thanks Robin

Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation.

LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk

Robin Muilwijk

Thursday 25 March 2010 12:11:38 pm

Never mind ;) Resolved in 4.2.x and 4.1.x.

Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation.

LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk

Robin Muilwijk

Thursday 25 March 2010 12:57:21 pm

For anyone who reads my previous comment, you need to apply the patches to 4.1 and 4.2 also. I got confused. The article Nicolas refers/links to cleary states applying the patches to those versions.

-- Robin

Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation.

LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk

Kristof Coomans

Friday 26 March 2010 12:15:04 am

It doesn't look like these issues were fixed in svn, will the fixes land in svn and in which timeframe?

See http://pubsvn.ez.no/websvn2/log.php?repname=nextgen&path=%2Fstable%2F4.2%2Fkernel%2Fcontent%2Fadvancedsearch.php&rev=0&isdir= and http://pubsvn.ez.no/websvn2/log.php?repname=nextgen&path=%2Fstable%2F4.2%2Fkernel%2Fsearch%2Fplugins%2Fezsearchengine%2Fezsearchengine.php&rev=0&isdir=

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

Denitsa M.

Friday 26 March 2010 1:36:21 am

Thanks! This can also be applied into 4.0.x.

Deni

Iguana IT - http://www.iguanait.com

André R.

Friday 26 March 2010 2:11:15 am

Kristof Coomans: As normal we publish the fix before we commit to svn, something you know very well. Normally it will be in svn soon.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Matthieu Sévère

Friday 26 March 2010 2:49:34 am

"

Hi Nicolas, please can you give us some more info about this issue?

"

+1 :)

--
eZ certified developer: http://ez.no/certification/verify/346216

Kristof Coomans

Friday 26 March 2010 4:05:48 am

@Andre: "something you know very well". No need for blaming me that way, I am just asking for information. I can't know (unless it's documented somewhere, if so please point me to the link) what the current policies are because there are no more maintenance releases, and previously security fixes were committed right after the maintenance releases came out.

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

Nicolas Pastorino

Friday 26 March 2010 4:28:04 am

Hello everyone,

The original blog post was updated, answering all your questions, bringing combined patches along with installation instructions : http://share.ez.no/blogs/ez/security-advisory-promptly-patch-your-ez-publish-instances

Cheers,

--
Nicolas Pastorino
Director Community - eZ
Member of the Community Project Board

eZ Publish Community on twitter: http://twitter.com/ezcommunity

t : http://twitter.com/jeanvoye
G+ : http://plus.tl/jeanvoye

José Manuel Chasco González

Friday 26 March 2010 5:12:23 am

Hi everybody!
We think that adding the function "generateSQLINStatement" to the dbInterface class, this patch could be applied (manually) to 3.9.X versions too. We have tested it in two sites and everything is still searching . :) !
It would be good to have more information or an example about how to exploit the vulnerability, to check if it is fixed now in those/all versions, although I understand to give this information is a big security risk
Best regards.

Ole Morten Halvorsen

Friday 26 March 2010 6:45:25 am

From what I can make out of the patches this seems like a straightforward SQL injection via the SearchSectionID GET parameter. mysql_query() doesn't support multiple queries so you can't do things like

mysql_query( "SELECT ...; UPDATE ezuser ... " );

so you are a bit better off with MySQL, but you can still insert things like subqueries, etc. pg_query() on the other hand does support making multiple queries making it trivial to gain admin access.

Ole

Senior Software Engineer - Vision with Technology

http://www.visionwt.com
http://www.omh.cc
http://www.twitter.com/omh

eZ Certified Developer
http://ez.no/certification/verify/358441
http://ez.no/certification/verify/272578

Brendan Pike

Sunday 28 March 2010 6:50:21 pm

I found the 4.1 security patch applies smoothly against a 3.10.x site. Could eZ please confirm that this does however correctly secure a 3.10.x site?

www.dbinformatics.com.au

We are always interested in hearing from experienced eZ PHP programmers and eZ template designers interested in contract work.

Kristof Coomans

Sunday 28 March 2010 11:09:22 pm

The arguments of the eZDBInterface::generateSQLINStatement() method have slightly changed between the 3.10 and 4.0 series, so applying the patch on 3.10 will probably give unexpected results.

I guess you can correct it easily for 3.10 installations though, by removing the 4th argument (false) to the generateSQLINStatement() calls in the patch. I did not test this myself, so use with care.

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

Brendan Pike

Monday 29 March 2010 1:36:23 am

Thanks Kristof, search still works fine without that 4th argument so I'll touch wood and run with that :)

www.dbinformatics.com.au

We are always interested in hearing from experienced eZ PHP programmers and eZ template designers interested in contract work.

Norbert Wagner

Tuesday 30 March 2010 5:38:13 am

Hello,
is it safe to simply disable the entire search module?

like this:

[SiteAccessRules]
Rules[]=access;disable
Rules[]=module;content/search

Thanks,
Norbert

Steven E. Bailey

Tuesday 30 March 2010 9:05:53 am

Or just advanced search?

[SiteAccessRules]

Rules[]=access;disable

Rules[]=module;content/advancedsearch

Certified eZPublish developer
http://ez.no/certification/verify/396111

Available for ezpublish troubleshooting, hosting and custom extension development: http://www.leidentech.com

Jean-Luc Nguyen

Wednesday 31 March 2010 1:34:34 am

Hello,

Can you confirm us that those patches are bundled on eZ 4.3 version?

Thanks!

http://www.acidre.com

Paul Borgermans

Wednesday 31 March 2010 2:04:26 am

"

Hello,

Can you confirm us that those patches are bundled on eZ 4.3 version?

Thanks!

"

Of course!

Paul

eZ Publish, eZ Find, Solr expert consulting and training
http://twitter.com/paulborgermans

You must be logged in to post messages in this topic!

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.