Share » Forums » Developer » Security:((((

Security:((((

Security:((((

Tuesday 15 April 2003 12:22:31 pm - 10 replies

Author Message

Bård Farstad

Tuesday 15 April 2003 1:38:17 pm

This security problem is related to eZ publish beein wrongly installed without virtualhost setup. You need to rename all .ini files files to .ini.php ( e.g. site.ini.php ) when running eZ publish in non virtualhost setup. If you install eZ publish with a virtualhost setup these security problems are not relavant. ( Since all requests go to index.php, except for images and stylesheets ).

The xss problem is fixed.

--bård

Documentation: http://ez.no/doc

Bård Farstad

Tuesday 15 April 2003 1:43:57 pm

Just a note on the xss problem: This is an isse with the template setup. You need to wash the output with the {"text"|wash(xhtml)} operator.

So if you have a template which prints user input, you need to be careful and always use the wash() operator.

-bård

Documentation: http://ez.no/doc

Jan Borsodi

Tuesday 15 April 2003 1:50:38 pm

See
http://ez.no/sdk/doc/view/security_standard/
for more information about security. As Bård explained non-virtual hosts setups are by default insecure and is not preferred, however it's possible to avoid such things as site.ini values being read.
One way is to have a .htaccess file for controlling file access, the other is to keep private information in the settings/override/site.ini.append.php file and wrap the contens inside a PHP comment. This is done automatically by the web setup.

Form tickets has not been implemented yet due to performance issues.

I also see this document needs to be updated ;)

--
Amos

Documentation: http://ez.no/ez_publish/documentation
FAQ: http://ez.no/ez_publish/documentation/faq

Peter Bailey

Wednesday 16 April 2003 9:52:45 am

Reading all the security stuff gave me a headache.

Thanks for the feedback on this important issue.

Does this mean even in my virtual host setup I should use site.ini instead of site.ini.php?

Bård Farstad

Wednesday 16 April 2003 10:38:25 am

When you use a virtualhost, that is with a rewrite rule, you can safely use site.ini. I normally prefer using .ini on configuration files, but you can choose this at your own likeing.

--bård

Documentation: http://ez.no/doc

Kai Duebbert

Wednesday 16 April 2003 7:30:55 pm

Well, the "site.ini" security "bug" is very badly researched of them. Otherwise they would know that the sensitive options are in /settings/override/site.ini.php which can't be compromised like this. Not even in non-virtual-hosts mode.

This is like issuing a security advisory for a default configuration file that gets distributed with a software package. Only a very wrong installation can compromise your site.ini.

The other security bug is valid though.

Kai

Karsten Jennissen

Thursday 17 April 2003 1:01:02 am

I have to agree, not very well researched. On the other hand, the issue reveals, that the .ini / .ini.php thing and its security implications is not explained clearly in the docs. I just browsed through doc/INSTALL and there is not one word on this issue. It should be in there, at least under a separate heading "Security - Important" in a form that nobody can avoid seeing. :-)

Or maybe even make a separate text file and collect the issues relating to security there.

Karsten

sam na

Thursday 17 April 2003 1:14:34 am

Dear Sirs,

My personal attitude is that security should be an essential concern in every serious web application.

As I saw this security bulletin, I forwarded it immediately to the community which was critical in my opinion.

I would suggest either to open a new forum concerning security or to develop better documentation and notification about it.

This will increase the trust relationsship between the community and EZ.

Regards,

Gabriel Ambuehl

Thursday 17 April 2003 4:05:32 am

I think it would be wise to rename the files to ini.php from begin with to avoid this kind of trouble. Its well known to be a problem, after all..

Visit http://triligon.org

Scot Wilcoxon

Tuesday 22 April 2003 10:30:55 am

May I suggest a little Apache configuration addition? The php scripts have filesystem access to the settings files, so there is no need to allow web browser access. This also avoids problems due to utilities appending to .php filenames.

<Directory YOUR_EZPUBLISH_PATH/settings/>
Order deny,allow
Deny from all
Options None
AllowOverride None
</Directory>

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu