This site has been archived. To learn more about our current products Ibexa Content, Ibexa Experience, Ibexa Commerce head over to the Ibexa Developer Portal

eZ Community » Security Advisories » EZSA-2019-006: Rules to disable...

EZSA-2019-006: Rules to disable executable access are ignored on (eZ Cloud)

Publication date : 23/08/2019
Severity : Medium
Affected versions : eZ Platform 1.7.9, 1.13.5, 2.5.3
Resolving versions : eZ Platform,, 2.5.4

The recommended Apache/Nginx virtual host configuration for eZ Platform includes a rewrite rule for blocking access to executable files in the var directory. This rule does not work when using eZ Platform Cloud (i.e. running eZ Platform on the cloud service).
The consequence of this is that in such a setup, those executable files may be downloadable. They will not be executable, unless you have specifically configured to allow that (which you really should not do). The severity of the download access is limited, but it's better if the cloud setup works the same way as regular eZ Platform does. All setups are affected.
The fix adds a rule to the configuration file, with the same effect as the rewrite rule already mentioned. After applying the fix, any attempt to access such files will fail with Access Denied. This security update is distributed via Composer as ezsystems/ezplatform, and, and 2.5.4. This is the commit:

This issue was reported to us by Serhey Dolgushev from Contextual Code:
We are very grateful for his research, and responsible disclosure to us.

If you come across a security issue in our products, here is how you can report it to us:

36 542 Users on board!

Community Project menu

Proudly Developed with from