To Zinistry Vacana: Hacking or what?

Saturday 20 December 2003 2:31:47 pm

I sent these bugs to a couple of the eZ-crew yesterday included screenshots when I noticed these problems (I sent an email with information about these bugs and how there must be problem with the eZ-role permissions on their site, which allowed posting/editing of classes around in the structure, allowing anyone to change url-forwarding/translations, removing language settings etc etc. at www.ez.no and all other eZ publish sites. Conclusion: eZ Systems have set up the roles (at www.ez.no) with wrong privileges, but there are also some bugs here.

Marco (answer to your accusations of the testing) :
I have not changed information, not removed any information, or not messed up anything (but I could if I wanted to, but that is not my goal)..only given proof of these security issues (could not remove these objects, therefore I sent this mail to eZ, explaining these things, with ID so they could remove'em).

(Achtung! I posted a comment, and it unfortunately ended up at the front page...not my fault!), therefore I startet to check some other things in this system, and found a lot of security problems. If I did not try to post anything, we wouldn't have found these bugs either..so please think a little about that Marco ;)

Our company have used eZ publish for a long time, and I have given information to eZ Systems about a lot of bugs without doing any harm to the system, just testing it (it's important to do much more testing on this system, not just private on our own site. Every site has it's own weak points.

I will continue testing on our own site, but also eZ publish general sites, to ensure better security for all eZ users, and give feedback on these problems.

There are a couple of very serious bugs in this system (just give me a url, and I will tak down you site with just a browser). Have sent this information to eZ Systems a long time ago, but no solution is yet found.

Didn't want to post these things here in the forum, because I do not want to have people hacking around at the eZ sites the world over, or take down alle eZ sites.. I therefore held back information to avoid this.

I rather prefer to communicate private with eZ about a couple of security issues, and hope to get solutions so everyone can get a more secure eZ publish installation.

But an important issue is that everyone setting up roles in the eZ publish system, must know what they are doing, and test their roles, so we avoid these things.

Best regards
Zinistry

And take a look at:
This was the first topic about these issues:
http://www.ez.no/developer/ez_publish_3/forum/developer/lol_strange#msg40867

Sunday 21 December 2003 6:56:01 am

;) Tnx for your understanding Marco!

I also read forum-messages and bug reports..and the reason why you haven't seen me here, is that I use other alias-names/nicks, just to be more secure with everything...(but I'm also active here) ;)

Well..about the role permissions, I haven't found any doc. on this at www.ez.no. In our company I have checked the roles, developed some, and also split up a couple of roles so they are more secure , but this also need some more testing. Maybe I get the time to write a short doc. on this topic..but need feedback from eZ if they are planning to change the permission system in the future..then I have to wait.

A lot of modules in the permission-system are added (from v.3.0 -> if I'm not wrong), and the most important ones today are:
class
collaboration
content
error
ezdhtml
form
layout
notification
package
reference
role
search
section
setup
shop
trigger
url
user
workflow
etc.

Where's the documentation on www.ez.no on what every part of this means, and how to set up the permissions right for these modules?
That's the magical Christmas-question ;) ..but if you set up the permissions right, there are still bugs :(

I think eZ waits to document some stuff in the system because of possible future changing, and think also there exists a lot more doc. from eZ Systems on "howto" do stuff in eZ publish other than you can find on www.ez.no (but it's maybe beeing used as internal doc.), like all of us have our own doc.

How can we share this the best way, and how can we inform people to publish information/code which eZ has developed for them, to get a better community which reduce our development costs and we don't have to develope the same things twice, because we don't know that these modules we need already exist?

This have to be a question eZ Systems have to answer, how we can get hold of more already developed code, examples and information, to reduce our costs, and so we also can use more resources on testing extraordinary eZ publish developed stuff rather than to develope twice.

What about a page that describes what eZ Systems already have developed for their customers where we can download these things if the paying company agrees? The paying companies would also make profit on this idea.

"Our goal is to reduce costs in the development of this open source product", so we (the people) have to be more OSP's ;)
(O)pen (S)ource (P)articipant's
...and support this Open Source Product by doing some hardcore-testing to achieve better security ;)

***Wünsche euch alle eine Frohe Weihnachten und einen Guten Rutsch ins neue Jahr!***

Sunday 21 December 2003 2:38:41 pm

Well Zinistry,

You made Jan (amos) to work on sundays. In svn, part of what you are referring to is fixed now.

-paul

eZ Publish, eZ Find, Solr expert consulting and training
http://twitter.com/paulborgermans