Security advisory: IBEXA-SA-2021-006

Storage and legacy files accessible if path is known
Publication date:
14/09/2021, 13:25


Affected versions: ezsystems/ezplatform v1.13.6, v2.5.24, ibexa/post-install v1.0.4
Resolving versions: ezsystems/ezplatform v1.13.6.1, v2.5.24.1, ibexa/post-install v1.0.4.1

This Security Advisory is about a vulnerability when using Ibexa DXP on The default configuration for ( allows access to uploaded files if you know or can guess their location, regardless of whether roles grant content read access to the content containing those files. If you're using Legacy Bridge, the default configuration also allows access to certain legacy files that should not be readable, including the legacy var directory and extension directories. Our default Apache/Nginx vhost files sets these permissions correctly, but doesn't use those files, as it has its own configuration.

The advisory fixes this with deny-by-default in the web directory, only allowing specific files and subdirectories as needed. This means the fix has to be adapted to your needs. Make sure you apply the changes to your active file. If your installation includes custom web-subdirectories that should be readable, you have to add allow statements for them. We strongly recommend that you install this update as soon as possible.

Please make sure you read and understand the web.locations section of and how it affects your installation.

Please note that on v3.3, the change will not take effect unless you run composer install again, as the files are located among the post-install resources. Either rerun the install, or copy the web.locations section from resources/platformsh/ibexa-commerce/*/ to your active file, and adapt it to your needs.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories