This site has been archived. To learn more about our current products Ibexa Content, Ibexa Experience, Ibexa Commerce head over to the Ibexa Developer Portal
Thursday 25 March 2010 5:55:45 pm - 19 replies
Today was released the EZSA-2010-001 security advisory, fixing a remote vulnerability in eZ Search. Please read carefully.
Friday 26 March 2010 8:15:04 am
It doesn't look like these issues were fixed in svn, will the fixes land in svn and in which timeframe?
See http://pubsvn.ez.no/websvn2/log.p...ancedsearch.php&rev=0&isdir= and http://pubsvn.ez.no/websvn2/log.p...earchengine.php&rev=0&isdir=
Friday 26 March 2010 12:05:48 pm
@Andre: "something you know very well". No need for blaming me that way, I am just asking for information. I can't know (unless it's documented somewhere, if so please point me to the link) what the current policies are because there are no more maintenance releases, and previously security fixes were committed right after the maintenance releases came out.
Friday 26 March 2010 12:28:04 pm
Hello everyone,
The original blog post was updated, answering all your questions, bringing combined patches along with installation instructions : http://share.ez.no/blogs/ez/security-advisory-promptly-patch-your-ez-publish-instances
Cheers,
Friday 26 March 2010 1:12:23 pm
Hi everybody!
We think that adding the function "generateSQLINStatement" to the dbInterface class, this patch could be applied (manually) to 3.9.X versions too. We have tested it in two sites and everything is still searching . !
It would be good to have more information or an example about how to exploit the vulnerability, to check if it is fixed now in those/all versions, although I understand to give this information is a big security risk
Best regards.
Friday 26 March 2010 2:45:25 pm
From what I can make out of the patches this seems like a straightforward SQL injection via the SearchSectionID GET parameter. mysql_query() doesn't support multiple queries so you can't do things like
mysql_query( "SELECT ...; UPDATE ezuser ... " );
so you are a bit better off with MySQL, but you can still insert things like subqueries, etc. pg_query() on the other hand does support making multiple queries making it trivial to gain admin access.
Ole
Monday 29 March 2010 8:09:22 am
The arguments of the eZDBInterface::generateSQLINStatement() method have slightly changed between the 3.10 and 4.0 series, so applying the patch on 3.10 will probably give unexpected results.
I guess you can correct it easily for 3.10 installations though, by removing the 4th argument (false) to the generateSQLINStatement() calls in the patch. I did not test this myself, so use with care.
Modified on Monday 29 March 2010 8:13:16 am by Kristof Coomans
You must be logged in to post messages in this topic!