The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of eZ Systems eZ Publish

vulnerability bulletin CVE-2016-1000104 CVE-2016-1000105 CVE-2016-1000107

Web servers: creating client queries via the Proxy header

Synthesis of the vulnerability

An attacker can send a query with a malicious Proxy header to a web service hosting a CGI script creating web client queries, so they go through attacker's proxy.
Impacted products: Apache httpd, Tomcat, Mac OS X, Debian, Drupal Core, VNX Operating Environment, VNX Series, eZ Publish, Fedora, HP-UX, QRadar SIEM, Junos Space, NSM Central Manager, NSMXpress, lighttpd, IIS, nginx, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Perl Module ~ not comprehensive, PHP, Python, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, TrendMicro ServerProtect, TYPO3 Core, Ubuntu, Varnish.
Severity: 3/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 12.
Creation date: 18/07/2016.
Identifiers: 1117414, 1994719, 1994725, 1999671, APPLE-SA-2017-09-25-1, bulletinjul2017, bulletinoct2016, c05324759, CERTFR-2016-AVI-240, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, cpujan2018, CVE-2016-1000104, CVE-2016-1000105, CVE-2016-1000107, CVE-2016-1000108, CVE-2016-1000109, CVE-2016-1000110, CVE-2016-1000111, CVE-2016-1000212, CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388, DLA-1883-1, DLA-553-1, DLA-568-1, DLA-583-1, DLA-749-1, DRUPAL-SA-CORE-2016-003, DSA-2019-131, DSA-3623-1, DSA-3631-1, DSA-3642-1, EZSA-2016-001, FEDORA-2016-07e9059072, FEDORA-2016-2c324d0670, FEDORA-2016-340e361b90, FEDORA-2016-4094bd4ad6, FEDORA-2016-4e7db3d437, FEDORA-2016-604616dc33, FEDORA-2016-683d0b257b, FEDORA-2016-970edb82d4, FEDORA-2016-9c8cf5912c, FEDORA-2016-9de7253cc7, FEDORA-2016-9fd814a7f2, FEDORA-2016-9fd9bfab9e, FEDORA-2016-a29c65b00f, FEDORA-2016-aef8a45afe, FEDORA-2016-c1b01b9278, FEDORA-2016-df0726ae26, FEDORA-2016-e2c8f5f95a, FEDORA-2016-ea5e284d34, HPSBUX03665, HT207615, HT208144, HT208221, httpoxy, JSA10770, JSA10774, openSUSE-SU-2016:1824-1, openSUSE-SU-2016:2054-1, openSUSE-SU-2016:2055-1, openSUSE-SU-2016:2115-1, openSUSE-SU-2016:2120-1, openSUSE-SU-2016:2252-1, openSUSE-SU-2016:2536-1, openSUSE-SU-2016:3092-1, openSUSE-SU-2016:3157-1, openSUSE-SU-2017:0223-1, RHSA-2016:1420-01, RHSA-2016:1421-01, RHSA-2016:1422-01, RHSA-2016:1538-01, RHSA-2016:1609-01, RHSA-2016:1610-01, RHSA-2016:1611-01, RHSA-2016:1612-01, RHSA-2016:1613-01, RHSA-2016:1624-01, RHSA-2016:1626-01, RHSA-2016:1627-01, RHSA-2016:1628-01, RHSA-2016:1629-01, RHSA-2016:1630-01, RHSA-2016:1635-01, RHSA-2016:1636-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:1978-01, RHSA-2016:2045-01, RHSA-2016:2046-01, SSA:2016-203-02, SSA:2016-358-01, SSA:2016-363-01, SUSE-SU-2017:1632-1, SUSE-SU-2017:1660-1, SUSE-SU-2019:0223-1, USN-3038-1, USN-3045-1, USN-3134-1, USN-3177-1, USN-3177-2, USN-3585-1, VIGILANCE-VUL-20143, VU#797896.

Description of the vulnerability

Most web servers support CGI scripts (PHP, Python, etc.).

According to the RFC 3875, when a web server receives a Proxy header, it has to create the HTTP_PROXY environment variable for CGI scripts.

However, this variable is also used to store the name of the proxy that web clients has to use. The PHP (via Guzzle, Artax, etc.) and Python scripts will thus use the proxy indicated in the web query for all client queries they will send during the CGI session.

An attacker can therefore send a query with a malicious Proxy header to a web service hosting a CGI script creating web client queries, so they go through attacker's proxy.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-4050

Symfony: privilege escalation via _controller

Synthesis of the vulnerability

An attacker can use the _controller parameter of Symfony, in order to change the behavior of a web site.
Impacted products: Debian, eZ Publish, Fedora, Symfony.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 27/05/2015.
Identifiers: 14759, CVE-2015-4050, DSA-3276-1, EZSA-2015-002, FEDORA-2015-9025, FEDORA-2015-9034, FEDORA-2015-9039, VIGILANCE-VUL-16994.

Description of the vulnerability

The Symfony product uses the "_controller" parameter (in YAML, XML, PHP) to choose the controller to be used to handle a route (url).

However, an attacker can directly use the "_controller" parameter in a "/_fragment" url, in order to change the controller. The attacker obtains an HTTP code 403 response, with a body generated by the controller.

An attacker can therefore use the _controller parameter of Symfony, in order to change the behavior of a web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-2552

eZ Publish BC Collected Information Export: information disclosure

Synthesis of the vulnerability

An attacker can use eZ Publish BC Collected Information Export, in order to obtain sensitive information.
Impacted products: eZ Publish.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/03/2014.
Identifiers: CVE-2014-2552, TWSL2014-004, VIGILANCE-VUL-14476.

Description of the vulnerability

The BC Collected Information Export extension can be installed on eZ Publish. It is used to export, in CSV format, data posted by users.

However, an attacker can directly request the export, to bypass access restrictions to data.

An attacker can therefore use eZ Publish BC Collected Information Export, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about eZ Systems eZ Publish: