Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xaGpjLWhnOTQtMjQ1ds4AA8Hp
eZ Platform Prevent accepting app.php in URL in Platform.sh
The recommended rewrite rules in eZ Platform prevent users from including the front-controller script (normally "app.php") in URLs. This prevents certain vulnerabilities related to caching. However, this is not possible when using eZ Platform Cloud (i.e. running eZ Platform on the Platform.sh cloud service), nor can it be done within the .platform.app.yaml configuration file. Therefore we need to reject such requests in the application itself. This advisory adds the prevention within the front controller script itself.
If you use eZ Platform Cloud / Platform.sh we recommend that you install this security update as soon as possible. It is distributed via Composer as ezsystems/ezplatform 1.7.9.1, and 1.13.5.1, and 2.5.4. This is the commit: https://github.com/ezsystems/ezplatform/commit/34ce86722b36a172e587068fe64a84faa7320cc2
Permalink: https://github.com/advisories/GHSA-qhjc-hg94-245vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xaGpjLWhnOTQtMjQ1ds4AA8Hp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 7 months ago
Identifiers: GHSA-qhjc-hg94-245v
References:
- https://github.com/ezsystems/ezplatform/commit/34ce86722b36a172e587068fe64a84faa7320cc2
- https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezplatform/2019-09-03-2.yaml
- https://share.ez.no/community-project/security-advisories/ezsa-2019-007-prevent-accepting-app.php-in-url-in-platform.sh
- https://github.com/advisories/GHSA-qhjc-hg94-245v
Blast Radius: 0.0
Affected Packages
packagist:ezsystems/ezplatform
Dependent packages: 8Dependent repositories: 4
Downloads: 41,030 total
Affected Version Ranges: >= 1.7.0, < 1.7.9.1, >= 1.13.0, < 1.13.5.1, >= 2.5.0, < 2.5.4
Fixed in: 1.7.9.1, 1.13.5.1, 2.5.4
All affected versions: 1.7.0, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.5.13, 2.5.14, 2.5.15, 2.5.16, 2.5.17, 2.5.18, 2.5.19, 2.5.20, 2.5.21, 2.5.22, 2.5.23, 2.5.24, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8
All unaffected versions: 0.5.0, 0.5.1, 0.7.0, 0.9.0, 0.9.1, 0.9.2, 0.11.0, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1