Unrestricted Upload of File with Dangerous Type

Summary

The eZ Platform and eZ Publish Legacy are vulnerable to handling file uploads, which can lead to remote code execution (RCE). An attacker would need access to upload files to exploit the vulnerability. If you have strict controls and trust all users with upload permissions, you are not affected. Based on our tests, we also believe the vulnerability cannot be exploited if our recommended vhost configuration is used. This vhost template specifies that only the file 'app.php' in the web root is executed, while vulnerable configurations allow the execution of any PHP file. Both Apache and Nginx are affected but are protected by using the recommended configuration. The built-in webserver in PHP remains vulnerable, as it does not use this type of configuration (this web server should only be used for development, never for production). We cannot be 100% certain our configuration is not vulnerable. Additionally, we do not know if all our users use the recommended configuration, so we are issuing this fix to be on the safe side. The fix includes a blacklist feature for uploaded filenames, such as '.php'. File types on the blacklist cannot be uploaded. The blacklist is configurable. In eZ Platform, you will find it as 'ezsettings.default.io.file_storage.file_type_blacklist' in 'eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml' in 'vendors/ezsystems/ezpublish-kernel'. In eZ Publish Legacy, you will find it as 'FileExtensionBlackList' in 'settings/file.ini'. By default, it blocks these file types: php, php3, phar, phpt, pht, phtml, pgif. The fix also includes a new block against path traversal attacks, though this kind of attack was not reproducible in our tests. The vulnerability affects versions 5.4.0 through 5.4.14.0, 6.13.0 through 6.13.6.1, and 7.5.0 through 7.5.6.1 in ezsystems/ezpublish-kernel, and 5.4.0 through 5.4.14.0, 2017.12.0 through 2017.12.7.1, and 2019.3.0 through 2019.3.4.1 in ezsystems/ezpublish-legacy.