Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-29699

XSS vulnerability in 'disabled module' error template

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: High High
    • Resolution: Fixed
    • Affects Version/s: 5.3.12, 5.4.12
    • Fix Version/s: Customer request
    • Labels:
    • Environment:

      Mozilla FF (tested on the current latest version 62.0.2 but Customer observed it also on IE 11.0.9600.19100 and Firefox 52.8.0). Chrome and Safari are not affected.

      Description

      Update: Fixed in v2018.09.1.2, v2018.06.1.3, v2017.12.4.2, v5.4.12.2, v5.3.12.5

      Customer observed an issue, where JS code is run from the proper formatted URL e.g. http://mysite.com/%3Cimg%20src=0%20onError=alert(document.cookie)%3E.

      Steps to reproduce:
      1. Edit [SiteAccessRules] section located in ezpublish_legacy/settings/site.ini and enable following lines:

      [SiteAccessRules]
      Rules[]
      Rules[]=access;disable
      Rules[]=moduleall
      

      2. Clear all the caches.
      3. Visit your site URL and add suffix like: <img src="" onError=alert(document.cookie)>.
      4. See that JS alert window is shown.

        Activity

        Show
        Gunnstein Lye added a comment - QA, please test: v5.3.12.4-security branch: https://github.com/ezsystems/ezpublish-legacy-ee/commit/f9318582125d379f669a9df64e98be37221811b0 v5.4.12.1-security branch: https://github.com/ezsystems/ezpublish-legacy-ee/commit/0f1f20f0ff70ba68f7c153d007db2fd3cbcf65ce
        Hide
        Michał Szołtysek added a comment -

        QA Approved on v5.3.12 & v5.4.12 with diffs from the above.
        JS code was not run.
        Didn't find any issues with basic sanities in default setup.

        Show
        Michał Szołtysek added a comment - QA Approved on v5.3.12 & v5.4.12 with diffs from the above. JS code was not run. Didn't find any issues with basic sanities in default setup.
        Hide
        Gunnstein Lye added a comment - - edited

        Distributed publicly for Community as EZSA-2018-006 at 2018-11-01
        http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template
        Tagged v2018.09.1.2, v2018.06.1.3, v2017.12.4.2

        security-advisories PR https://github.com/FriendsOfPHP/security-advisories/pull/332

        Show
        Gunnstein Lye added a comment - - edited Distributed publicly for Community as EZSA-2018-006 at 2018-11-01 http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template Tagged v2018.09.1.2, v2018.06.1.3, v2017.12.4.2 security-advisories PR https://github.com/FriendsOfPHP/security-advisories/pull/332

          People

          • Assignee:
            Unassigned
            Reporter:
            Konrad Oboza
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 7 hours
              7h