Skip to main content

Improper Control of Generation of Code ('Code Injection')

CVE-2020-10806

Severity High
Score 9.8/10

Summary

The eZ Platform and eZ Publish Legacy are vulnerable to handling file uploads, which can lead to remote code execution (RCE). An attacker would need access to upload files to exploit the vulnerability. If you have strict controls and trust all users with upload permissions, you are not affected. Based on our tests, we also believe the vulnerability cannot be exploited if our recommended vhost configuration is used. This vhost template specifies that only the file 'app.php' in the web root is executed, while vulnerable configurations allow the execution of any PHP file. Both Apache and Nginx are affected but are protected by using the recommended configuration. The built-in webserver in PHP remains vulnerable, as it does not use this type of configuration (this web server should only be used for development, never for production). We cannot be 100% certain our configuration is not vulnerable. Additionally, we do not know if all our users use the recommended configuration, so we are issuing this fix to be on the safe side. The fix includes a blacklist feature for uploaded filenames, such as '.php'. File types on the blacklist cannot be uploaded. The blacklist is configurable. In eZ Platform, you will find it as 'ezsettings.default.io.file_storage.file_type_blacklist' in 'eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml' in 'vendors/ezsystems/ezpublish-kernel'. In eZ Publish Legacy, you will find it as 'FileExtensionBlackList' in 'settings/file.ini'. By default, it blocks these file types: php, php3, phar, phpt, pht, phtml, pgif. The fix also includes a new block against path traversal attacks, though this kind of attack was not reproducible in our tests. The vulnerability affects versions 5.4.0 through 5.4.14.0, 6.13.0 through 6.13.6.1, and 7.5.0 through 7.5.6.1 in ezsystems/ezpublish-kernel, and 5.4.0 through 5.4.14.0, 2017.12.0 through 2017.12.7.1, and 2019.3.0 through 2019.3.4.1 in ezsystems/ezpublish-legacy.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-94 - Code Injection

Code injection is a type of vulnerability that allows an attacker to execute arbitrary code. This vulnerability fully compromises the machine and can cause a wide variety of security issues, such as unauthorized access to sensitive information, manipulation of data, denial of service attacks etc. Code injection is different from command injection in the fact that it is limited by the functionality of the injected language (e.g. PHP), as opposed to command injection, which leverages existing code to execute commands, usually within the context of a shell.

Advisory Timeline

  • Published