eZ Community » Forums » Developer » Security Advisories
expandshrink

Security Advisories

Security Advisories

Monday 18 October 2010 10:07:56 pm - 33 replies

Are there any plans to move the security advisories (currently available at https://auth.ez.no/developer/security/security_advisories) onto share.ez.no?

Tuesday 19 October 2010 12:16:34 am

+1

File a feat. request ?

Tuesday 19 October 2010 8:17:22 am

+1, Very Good Idea.

File an issue and share the issue number here in the forum.

Be sure to file it under the community project tab, http://issues.ez.no/ProjectSelect.php?Id=6

Cheers,

Heath

Modified on Tuesday 19 October 2010 8:17:46 am by // Heath

Tuesday 19 October 2010 9:05:18 am

Enhancement request: http://issues.ez.no/IssueView.php?Id=17488&activeItem=1

Tuesday 19 October 2010 6:24:52 pm

Thank you Eirik! I hope the issue is promptly and properly resolved. (Thanks for sharing the issue link here in the forums as well)

Cheers,

Heath

Wednesday 20 October 2010 9:58:26 am

Thanks everyone. This is taken into account. I currently am re-designing a bit the Download & Develop page, and the advisories will be part of it. You can get an idea of how this will look there : http://share.ez.no/design-contest/wireframes (click the 'Download & Develop' top menu entry inside the wireframes).

Any input on this ?
Cheers !

Thursday 21 October 2010 9:50:28 pm

Hi Nicolas,

Looks fine. Haven't really got any feedback. This isn't a page that needs to be very accessible, so as long as it's located somewhere that makes sense (and includes an RSS feed), I think we should be set.

Wednesday 20 July 2011 11:17:52 am

Hi.

 

I've been googling for a suitable page with security advisories for eZ software, and this is incidentally the best match.

 

Under "Download & Develop", there is a dangling link in a box on the right hand side, called "Advisories", and that's just about all there is to see, as far as I can tell.

 

So what happened to this, where can I find the advisories?

 

Best regards,

 

Jan

Modified on Wednesday 20 July 2011 11:27:56 am by Jan Ingvoldstad

Tuesday 27 September 2011 3:21:13 pm

Hi Nico,

It's been almost a year, and now the link I was referring to doesn't work either. Any update on this issue?

Tuesday 27 September 2011 3:46:20 pm

Hi Nico,

It's been almost a year, and now the link I was referring to doesn't work either. Any update on this issue?

Try contacting their CTO, Bård Farstad (http://ez.no/About-us/Management-Team)

 

Email addresses at eZ is in the form of initials at ez.no, e.g. eaj@ if you were an employee.

 

If you can also help in explaining to the company why secret security vulnerabilities is a very, very bad idea, and only promotes an increasingly insecure web, that would be nice.

Tuesday 27 September 2011 3:57:51 pm

Hi Jan,

Thanks, but I thought I would give Nicolas a chance to reply, as he's usually fast when it comes to social media. blunk.gif Emoticon Also, I prefer not to bother Bård unless I have to, since I know he's a busy guy.

Tuesday 27 September 2011 4:10:35 pm

Hi, 

@Eirik : thanks for raising the subject again. Times are busy, yet this makes no valid excuse given the criticality of this very valid point. I will re-iterate my call for actions internally to aggregate and publish the advisories.

@Jan : we are well aware of the criticality of making advisories public, they have been until the former community sub-section on ez.no was transfered to share.ez.no. Also, i am not sure Bård is the right contact here blunk.gif Emoticon

Thanks to both of you,
Cheers, 

Tuesday 27 September 2011 4:18:12 pm

@Jan : we are well aware of the criticality of making advisories public, they have been until the former community sub-section on ez.no was transfered to share.ez.no. Also, i am not sure Bård is the right contact here blunk.gif Emoticon

Nicolas, thanks for answering.

If Bård is not the right contact, then who is?

The CEO?

Tuesday 27 September 2011 4:49:20 pm

@Jan : we are well aware of the criticality of making advisories public, they have been until the former community sub-section on ez.no was transfered to share.ez.no. Also, i am not sure Bård is the right contact here blunk.gif Emoticon

Nicolas, thanks for answering.

If Bård is not the right contact, then who is?

The CEO?

Hi Jan, 

I did not intend to sound pedantic, let me excuse me if it was the case.
I merely meant that a more effective contact would be our engineering team. As i am in daily contact with them, i hereby proposed byself to relay this pretty valid request. By the time of this reply, this was already done.

Cheers,

Tuesday 27 September 2011 6:26:21 pm

Hello Everyone,

I just wanted to chime in my vote for support of eZ Publish Security Advisories.

I think they are critical and I've been quite disappointed in the lapse in coverage.

 

Cheers,

Heath

Friday 07 October 2011 8:19:02 am

+1

I too think this is a priority, eZ Publish has an excellent security record,this should be featured not hidden.  Also been able to get rapid alerts should any arise is obvious important.

Friday 02 March 2012 3:00:50 pm

I think it is now safe to say that eZ does not care about their customers' security.

 

I've seen live remote code execution exploits against eZ Publish sites that were installed after security advisories were pulled from eZ's website.

 

These are not publicly known, and remain a shared secret between black hats and eZ.

 

I can see no other sensible course of action than to recommend moving away from eZ Publish over to platforms with open security policies, and to recommend hosting companies to disable eZ Publish installations until it is possible to reliably detect which ones are vulnerable versions and which ones are not.

 

Color me very, very disappointed.

Friday 02 March 2012 3:38:42 pm

For quite awhile now eZ does seem to have struggled to find ground somewhere between proprietary and open-source philosophies.  I hope they do find their feet though and dedicate resources to ensuring critical areas like security advisory channels are given proper respect and show the community they are valued.

Saturday 03 March 2012 8:34:47 am

Do you actually have a concrete security concern?

While I agree that eZ could be doing the security advisories better, I believe fundamentally eZPublish is secure - or at least as secure as a web application can be.

What I've seen is badly misconfigured eZPublish installations that are insecure... and if people don't upgrade then they are vulnerable - but that's no different from any other software.  Software - especially interactive software - is always going to have the potential for security issues.  That's why people hire me (and a lot of other people here) to maintain their installations.

Yes, the advisories seem to have disappeared and I've seen code changes that should probably have been advisories and I've heard of things that have been brought to the attention of eZ but not the community...  but there is a an argument that all full disclosure does is tip off the script kiddies.  I don't agree with this but it's an argument.

But, if you do find yourself slighted or ignored, then there are other vectors to get information out there:   http://packetstormsecurity.org/ and http://www.exploit-db.com/ come to mind.  Do a search for ezpublish - then do a search for Joomla or Wordpress or any other CMS.  Compare.

There are things you can do too:

Turn off user/login and content/search (and any other modules) on sites where they are not needed. I wouldn't trust all the extension code either - especially stuff that's a couple of versions back.

Whatever you do, if you don't use rewrite rules make sure you delete the ~ files in the settings folders, otherwise you could be potentially leaking passwords to your mail gateway and/or your remote database.  If you're database can be accessed, then it's pretty much game over anyway.

Saturday 03 March 2012 1:49:05 pm

HI Steven, I can't speak for Jan of course, but naturally their are people out there with ezp sites of all versions, the owners of which needs a way to read that their version is insecure and has a known security issue.  I like you disagree with eZ Publlsh's security through obscurity policy, IMHO the only people with protects are non active eZ Publish users.  Not even eZ partners are fully informed about these issues which speaks for itself.

Saturday 03 March 2012 7:02:14 pm

@Brendan

Yeah, it is unfortunate and it has been 1.5 years.  I'm guessing either it's an internal struggle for disclosure or it just got bumped in priority.

My main point is that eZPublish is actually comparatively secure - I don't want any potential clients to be unnecessarily spooked into thinking that's not true.  Just naked self-interest there.

I would actually recommend no one be on a version less than 4.5 at this point.  If I remember correctly there was an issue with logins for 4.1 and below and there was an issue with content search for 4.3 and below.  If there's anything I'm forgetting...

I would also always turn off ezinfo modules.  And make sure your templates don't show a copyright date... no point in giving malicious people an easy way of seeing what version and what extensions you are running.

Hmmm, maybe this is a good blog topic for another day.

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from