Security Advisory IBEXA-SA-2020-007: Failing access control in system info view

Publication date: 01/12/2020, 11:46

Severity: High

Affected versions: ezsystems/ez-support-tools v2.2.*
Resolving versions: ezsystems/ez-support-tools v2.2.3

This Security Advisory is about a vulnerability in ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected. A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The "Setup / System info" policy should be required to access it, but only backend login is actually required. This means any editor can see core system information, including the output from phpinfo(). The fix ensures that the access policy is correctly verified.

The fix is distributed via Composer as ezsystems/ez-support-tools v2.2.3

This issue was reported to us by Mark Krogoll from Comwrap. We are very grateful for their research, and responsible disclosure to us.
https://comwrap.com/

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2020-007

Failing access control in system info view