This site has been archived. To learn more about our current products Ibexa Content, Ibexa Experience, Ibexa Commerce head over to the Ibexa Developer Portal

eZ Community » Security Advisories » EZSA-2019-007: Prevent accepting...

EZSA-2019-007: Prevent accepting app.php in URL in

Publication date : 02/09/2019
Severity : Low
Affected versions : eZ Platform 1.7.9, 1.13.5, 2.5.3
Resolving versions : eZ Platform,, 2.5.4

The recommended rewrite rules in eZ Platform prevent users from including the front-controller script (normally "app.php") in URLs. This prevents certain vulnerabilities related to caching. However, this is not possible when using eZ Platform Cloud (i.e. running eZ Platform on the cloud service), nor can it be done within the configuration file. Therefore we need to reject such requests in the application itself. This advisory adds the prevention within the front controller script itself.
If you use eZ Platform Cloud / we recommend that you install this security update as soon as possible. It is distributed via Composer as ezsystems/ezplatform, and, and 2.5.4. This is the commit:

If you come across a security issue in our products, here is how you can report it to us:

36 542 Users on board!

Community Project menu

Proudly Developed with from