Security advisory: IBEXA-SA-2020-007

Failing access control in system info view
Publication date:
01/12/2020, 11:46

Severity:
High

Affected versions: ezsystems/ez-support-tools v2.2.*
Resolving versions: ezsystems/ez-support-tools v2.2.3

This Security Advisory is about a vulnerability in ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected. A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The "Setup / System info" policy should be required to access it, but only backend login is actually required. This means any editor can see core system information, including the output from phpinfo(). The fix ensures that the access policy is correctly verified.

The fix is distributed via Composer as ezsystems/ez-support-tools v2.2.3

This issue was reported to us by Mark Krogoll from Comwrap. We are very grateful for their research, and responsible disclosure to us.
https://comwrap.com/
 


Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories