This security problem is related to eZ publish beein wrongly installed without virtualhost setup. You need to rename all .ini files files to .ini.php ( e.g. site.ini.php ) when running eZ publish in non virtualhost setup. If you install eZ publish with a virtualhost setup these security problems are not relavant. ( Since all requests go to index.php, except for images and stylesheets ).
See
http://ez.no/sdk/doc/view/security_standard/
for more information about security. As Bård explained non-virtual hosts setups are by default insecure and is not preferred, however it's possible to avoid such things as site.ini values being read. One way is to have a .htaccess file for controlling file access, the other is to keep private information in the settings/override/site.ini.append.php file and wrap the contens inside a PHP comment. This is done automatically by the web setup.
Form tickets has not been implemented yet due to performance issues.
When you use a virtualhost, that is with a rewrite rule, you can safely use site.ini. I normally prefer using .ini on configuration files, but you can choose this at your own likeing.
Well, the "site.ini" security "bug" is very badly researched of them. Otherwise they would know that the sensitive options are in /settings/override/site.ini.php which can't be compromised like this. Not even in non-virtual-hosts mode.
This is like issuing a security advisory for a default configuration file that gets distributed with a software package. Only a very wrong installation can compromise your site.ini.
I have to agree, not very well researched. On the other hand, the issue reveals, that the .ini / .ini.php thing and its security implications is not explained clearly in the docs. I just browsed through doc/INSTALL and there is not one word on this issue. It should be in there, at least under a separate heading "Security - Important" in a form that nobody can avoid seeing. :-)
Or maybe even make a separate text file and collect the issues relating to security there.
May I suggest a little Apache configuration addition? The php scripts have filesystem access to the settings files, so there is no need to allow web browser access. This also avoids problems due to utilities appending to .php filenames.
<Directory YOUR_EZPUBLISH_PATH/settings/>
Order deny,allow
Deny from all
Options None
AllowOverride None </Directory>
You must be logged in to post messages in this topic!