|
Author
|
Message
|
|
Xavier Serna
|
Thursday 25 March 2010 11:10:02 am
Hi Nicolas, please can you give us some more info about this issue? Exploiting this bug the eZ instances can be blocked, or data can be modified, restricted data could be fetched in search results? thanks in advance,
--
Xavier Serna
eZ Publish Certified Developer
Departament de Software
Microblau S.L. - http://www.microblau.net
+34 937 466 205
|
|
Robin Muilwijk
|
Thursday 25 March 2010 12:09:37 pm
Hi Nicolas, With "3.7 to 4.2", does that mean it includes any version of 4.2 also? That require the patch? Thanks Robin
Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation.
LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk
|
|
Robin Muilwijk
|
Thursday 25 March 2010 12:11:38 pm
Never mind ;) Resolved in 4.2.x and 4.1.x.
Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation.
LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk
|
|
Robin Muilwijk
|
Thursday 25 March 2010 12:57:21 pm
For anyone who reads my previous comment, you need to apply the patches to 4.1 and 4.2 also. I got confused. The article Nicolas refers/links to cleary states applying the patches to those versions. -- Robin
Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation.
LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk
|
|
Kristof Coomans
|
Friday 26 March 2010 12:15:04 am
It doesn't look like these issues were fixed in svn, will the fixes land in svn and in which timeframe? See http://pubsvn.ez.no/websvn2/log.php?repname=nextgen&path=%2Fstable%2F4.2%2Fkernel%2Fcontent%2Fadvancedsearch.php&rev=0&isdir= and http://pubsvn.ez.no/websvn2/log.php?repname=nextgen&path=%2Fstable%2F4.2%2Fkernel%2Fsearch%2Fplugins%2Fezsearchengine%2Fezsearchengine.php&rev=0&isdir=
independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org
|
|
Denitsa M.
|
Friday 26 March 2010 1:36:21 am
Thanks! This can also be applied into 4.0.x. Deni
Iguana IT - http://www.iguanait.com
|
|
André R.
|
Friday 26 March 2010 2:11:15 am
Kristof Coomans: As normal we publish the fix before we commit to svn, something you know very well. Normally it will be in svn soon.
eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom
|
|
Matthieu Sévère
|
Friday 26 March 2010 2:49:34 am
"
Hi Nicolas, please can you give us some more info about this issue?
"
+1 :)
--
eZ certified developer: http://ez.no/certification/verify/346216
|
|
Kristof Coomans
|
Friday 26 March 2010 4:05:48 am
@Andre: "something you know very well". No need for blaming me that way, I am just asking for information. I can't know (unless it's documented somewhere, if so please point me to the link) what the current policies are because there are no more maintenance releases, and previously security fixes were committed right after the maintenance releases came out.
independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org
|
|
Nicolas Pastorino
|
Friday 26 March 2010 4:28:04 am
Hello everyone, The original blog post was updated, answering all your questions, bringing combined patches along with installation instructions : http://share.ez.no/blogs/ez/security-advisory-promptly-patch-your-ez-publish-instances Cheers,
--
Nicolas Pastorino
Director Community - eZ
Member of the Community Project Board
eZ Publish Community on twitter: http://twitter.com/ezcommunity
t : http://twitter.com/jeanvoye
G+ : http://plus.tl/jeanvoye
|
|
José Manuel Chasco González
|
Friday 26 March 2010 5:12:23 am
Hi everybody!
We think that adding the function "generateSQLINStatement" to the dbInterface class, this patch could be applied (manually) to 3.9.X versions too. We have tested it in two sites and everything is still searching . :) !
It would be good to have more information or an example about how to exploit the vulnerability, to check if it is fixed now in those/all versions, although I understand to give this information is a big security risk
Best regards.
|
|
Ole Morten Halvorsen
|
Friday 26 March 2010 6:45:25 am
From what I can make out of the patches this seems like a straightforward SQL injection via the SearchSectionID GET parameter. mysql_query() doesn't support multiple queries so you can't do things like
mysql_query( "SELECT ...; UPDATE ezuser ... " ); so you are a bit better off with MySQL, but you can still insert things like subqueries, etc. pg_query() on the other hand does support making multiple queries making it trivial to gain admin access. Ole
Senior Software Engineer - Vision with Technology
http://www.visionwt.com
http://www.omh.cc
http://www.twitter.com/omh
eZ Certified Developer
http://ez.no/certification/verify/358441
http://ez.no/certification/verify/272578
|
|
Brendan Pike
|
Sunday 28 March 2010 6:50:21 pm
I found the 4.1 security patch applies smoothly against a 3.10.x site. Could eZ please confirm that this does however correctly secure a 3.10.x site?
www.dbinformatics.com.au
We are always interested in hearing from experienced eZ PHP programmers and eZ template designers interested in contract work.
|
|
Kristof Coomans
|
Sunday 28 March 2010 11:09:22 pm
The arguments of the eZDBInterface::generateSQLINStatement() method have slightly changed between the 3.10 and 4.0 series, so applying the patch on 3.10 will probably give unexpected results. I guess you can correct it easily for 3.10 installations though, by removing the 4th argument (false) to the generateSQLINStatement() calls in the patch. I did not test this myself, so use with care.
independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org
|
|
Brendan Pike
|
Monday 29 March 2010 1:36:23 am
Thanks Kristof, search still works fine without that 4th argument so I'll touch wood and run with that :)
www.dbinformatics.com.au
We are always interested in hearing from experienced eZ PHP programmers and eZ template designers interested in contract work.
|
|
Norbert Wagner
|
Tuesday 30 March 2010 5:38:13 am
Hello,
is it safe to simply disable the entire search module? like this:
[SiteAccessRules]
Rules[]=access;disable
Rules[]=module;content/search
Thanks,
Norbert
|
|
Steven E. Bailey
|
Tuesday 30 March 2010 9:05:53 am
Or just advanced search? [SiteAccessRules] Rules[]=access;disable Rules[]=module;content/advancedsearch
Certified eZPublish developer
http://ez.no/certification/verify/396111
Available for ezpublish troubleshooting, hosting and custom extension development: http://www.leidentech.com
|
|
Jean-Luc Nguyen
|
Wednesday 31 March 2010 1:34:34 am
Hello, Can you confirm us that those patches are bundled on eZ 4.3 version? Thanks!
http://www.acidre.com
|
|
Paul Borgermans
|
Wednesday 31 March 2010 2:04:26 am
"
Hello, Can you confirm us that those patches are bundled on eZ 4.3 version? Thanks!
"
Of course! Paul
eZ Publish, eZ Find, Solr expert consulting and training
http://twitter.com/paulborgermans
|