This site has been archived and you can no longer log in or post new messages. For up-to-date community resources please visit ezplatform.com

eZ Community » Forums » Discussions » Security advisory, promptly patch...
expandshrink

Thursday 25 March 2010 5:55:45 pm - 19 replies

» Read full blog post

Introduction

Today was released the EZSA-2010-001 security advisory, fixing a remote vulnerability in eZ Search. Please read carefully.

Thursday 25 March 2010 7:10:02 pm

Hi Nicolas, please can you give us some more info about this issue? Exploiting this bug the eZ instances can be blocked, or data can be modified, restricted data could be fetched in search results?

thanks in advance,

Thursday 25 March 2010 8:09:37 pm

Hi Nicolas,

With "3.7 to 4.2", does that mean it includes any version of 4.2 also? That require the patch?

Thanks Robin

Thursday 25 March 2010 8:11:38 pm

Never mind blunk.gif Emoticon Resolved in 4.2.x and 4.1.x.

Thursday 25 March 2010 8:57:21 pm

For anyone who reads my previous comment, you need to apply the patches to 4.1 and 4.2 also. I got confused. The article Nicolas refers/links to cleary states applying the patches to those versions.

-- Robin

Friday 26 March 2010 8:15:04 am

It doesn't look like these issues were fixed in svn, will the fixes land in svn and in which timeframe?

See http://pubsvn.ez.no/websvn2/log.p...ancedsearch.php&rev=0&isdir= and http://pubsvn.ez.no/websvn2/log.p...earchengine.php&rev=0&isdir=

Friday 26 March 2010 9:36:21 am

Thanks! This can also be applied into 4.0.x.

Deni

Friday 26 March 2010 10:11:15 am

Kristof Coomans: As normal we publish the fix before we commit to svn, something you know very well. Normally it will be in svn soon.

Modified on Friday 26 March 2010 10:11:39 am by André R

Friday 26 March 2010 10:49:34 am

Hi Nicolas, please can you give us some more info about this issue?

+1 happy.gif Emoticon

Friday 26 March 2010 12:05:48 pm

@Andre: "something you know very well". No need for blaming me that way, I am just asking for information. I can't know (unless it's documented somewhere, if so please point me to the link) what the current policies are because there are no more maintenance releases, and previously security fixes were committed right after the maintenance releases came out.

Friday 26 March 2010 12:28:04 pm

Hello everyone,

The original blog post was updated, answering all your questions, bringing combined patches along with installation instructions : http://share.ez.no/blogs/ez/security-advisory-promptly-patch-your-ez-publish-instances

Cheers,

Friday 26 March 2010 1:12:23 pm

Hi everybody!
We think that adding the function "generateSQLINStatement" to the dbInterface class, this patch could be applied (manually) to 3.9.X versions too. We have tested it in two sites and everything is still searching . happy.gif Emoticon !
It would be good to have more information or an example about how to exploit the vulnerability, to check if it is fixed now in those/all versions, although I understand to give this information is a big security risk
Best regards.

Friday 26 March 2010 2:45:25 pm

From what I can make out of the patches this seems like a straightforward SQL injection via the SearchSectionID GET parameter. mysql_query() doesn't support multiple queries so you can't do things like

mysql_query( "SELECT ...; UPDATE ezuser ... " );

so you are a bit better off with MySQL, but you can still insert things like subqueries, etc. pg_query() on the other hand does support making multiple queries making it trivial to gain admin access.

Ole

Monday 29 March 2010 3:50:21 am

I found the 4.1 security patch applies smoothly against a 3.10.x site. Could eZ please confirm that this does however correctly secure a 3.10.x site?

Monday 29 March 2010 8:09:22 am

The arguments of the eZDBInterface::generateSQLINStatement() method have slightly changed between the 3.10 and 4.0 series, so applying the patch on 3.10 will probably give unexpected results.

I guess you can correct it easily for 3.10 installations though, by removing the 4th argument (false) to the generateSQLINStatement() calls in the patch. I did not test this myself, so use with care.

Modified on Monday 29 March 2010 8:13:16 am by Kristof Coomans

Monday 29 March 2010 10:36:23 am

Thanks Kristof, search still works fine without that 4th argument so I'll touch wood and run with that happy.gif Emoticon

Tuesday 30 March 2010 2:38:13 pm

Hello,
is it safe to simply disable the entire search module?

like this:

[SiteAccessRules]
Rules[]=access;disable
Rules[]=module;content/search

Thanks,
Norbert

Tuesday 30 March 2010 6:05:53 pm

Or just advanced search?

[SiteAccessRules]

Rules[]=access;disable

Rules[]=module;content/advancedsearch

Modified on Tuesday 30 March 2010 6:08:29 pm by Steven E Bailey

Wednesday 31 March 2010 10:34:34 am

Hello,

Can you confirm us that those patches are bundled on eZ 4.3 version?

Thanks!

Wednesday 31 March 2010 11:04:26 am

Hello,

Can you confirm us that those patches are bundled on eZ 4.3 version?

Thanks!

Of course!

Paul

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from