SNS Vulnerability

eZ Publish eZ JS Core Extension Multiple Vulnerabilities

Description

Some vulnerabilities have been reported in eZ Publish, which can be exploited by malicious people to conduct cross-site scripting attacks, manipulate certain data, and disclose potentially sensitive information.
1) Input passed via the URL to ezjscore/call is not properly sanitised in the eZ JS Core extension before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
This vulnerability is reported in versions 4.6 and prior running with eZ JS Core extension versions 1.4 and prior.
2) An error within the eZ JS Core extension can be exploited to change node priorities without edit access rights.
3) An error related to content fetching in the eZ JS Core extension can be exploited to disclose the contents and metadata of content objects within the database.
The vulnerabilities #2 and #3 are reported in eZ JS Core extension versions 1.2, 1.3, and 1.4.

Vulnerable Products

Vulnerable Software:
eZ Publish 4.x

Solution

Apply update.eZ Publish Enterprise Edition:Apply security update EZPESU-2012-001-EZJSCORE1.x and EZPESU-2012-006-EZJSCORE1.x.eZ Publish Community Project:Update to eZ Publish Community Project 2012.4, which fixes vulnerabilities #2 and #3. Vulnerability #1 is fixed in the GIT repository.https://github.com/ezsystems/ezjscore/commit/58854564c7b8672090c25c4b1677d08620d870f2

CVE

CVE-2012-1597

References

eZ Publish:
http://share.ez.no/community-project/security-advisories/ezsa-2012-001-information-disclosure-access-rights-issue-in-ezjscore-extension
http://share.ez.no/community-project/security-advisories/ezsa-2012-006-xss-exploit-on-ezjscore-run-command-when-using-firefox
Oppida:
http://blog-oppida.blogspot.fr/2012/03/ezpublish-cross-site-scripting-in-uri.html

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL	3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL	3.2.0
XSS - Phishing : suspicious 'div' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL	3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL	3.2.0
XSS - Phishing : suspicious 'a' tag found in URL	3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL	3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL	3.2.0
XSS - Phishing : suspicious 'form' tag found in URL	3.2.0
XSS - Prevention - GET : javascript code found in URL	3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL	3.2.0
XSS - Phishing : suspicious 'link' tag found in URL	3.2.0
XSS - Prevention - GET : 'script' tag found in URL	3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL	3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL	3.2.0

Risk level

Moderate

Vulnerability First Public Report Date

2012-03-29

Target Type

Server

Possible exploit

Remote