Security advisory: IBEXA-SA-2021-003

Block upload of scriptable file types
Publication date:
17/03/2021, 15:52

Severity:
Medium

Affected versions: ezsystems/ezpublish-kernel v6.13.*, v7.5.*, ezsystems/ezplatform-kernel v1.2.*, v1.3.*
Resolving versions: ezsystems/ezpublish-kernel v6.13.8.2, v7.5.15.2, ezsystems/ezplatform-kernel v1.2.5.1, v1.3.1.1

This Security Advisory is about a vulnerability in Ibexa DXP and Ibexa Open Source v3.3. In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.

The fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See "Resolving versions". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting "ezsettings.default.io.file_storage.file_type_blacklist" at:
https://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109

Important note: You should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.

If you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc


Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ezplatform.com/en/latest/guide/reporting_issues/

All security advisories