Security advisory: IBEXA-SA-2022-001

Image filenames sanitization
Publication date:
18/01/2022, 16:29

Severity:
High

Affected versions: ezsystems/ezpublish-kernel v7.5.*, ezsystems/ezplatform-kernel v1.3.*
Resolving versions: ezsystems/ezpublish-kernel v7.5.26, ezsystems/ezplatform-kernel v1.3.12

When image files are uploaded, they are made accessible under a name similar to the original file name. There are two issues with this. Both require access to uploading images in order to exploit them, this limits the impact. The first issue is that certain injection attacks can be possible, since not all possible attack vectors are removed from the original file name.

The second issue is that direct access to the images is not access controlled. This is by design, for performance reasons, and documented as such. But it does mean that images not meant to be publicly accessible can be accessed, provided that the image path and filename is correctly deduced and/or guessed, through dictionary attacks and similar.

Both issues are resolved through a new approach to image file naming. The original filename is sanitised better to resolve the injection vulnerability, and a 12-character secure random hash is prepended, to make unauthorised access prohibitively difficult.

After installing this fix, run
php bin/console ibexa:images:normalize-paths
to ensure all existing images are sanitised and hashed correctly. Also remember to clear content cache (HTTP and persistence cache), to reflect the new image file names. New images uploaded after this will have the change applied automatically. Finally, after clearing the cache, run
php bin/console liip:imagine:cache:remove

Please see the following documentation pages:
https://doc.ibexa.co/en/latest/guide/images/
https://doc.ibexa.co/en/latest/guide/devops/#cache-clearing

This advisory affects Ibexa DXP v3.3 and eZ Platform v2.5. It is distributed as ezsystems/ezplatform-kernel v1.3.12 and ezsystems/ezpublish-kernel v7.5.26. The releases of Ibexa DXP v3.3.13 and eZ Platform v2.5.27 also include this fix.

This issue was reported to us by Christoph Rottermanner and Jonas Roller from it.sec. We are very grateful for their research, and responsible disclosure to us. it.sec is a consulting company founded in 1996 that offers consulting services in the areas of information security, IT compliance & data protection and IT forensics/discovery. Their employees have been conducting security investigations for our customers for years, advising and implementing holistic security concepts.
https://it-sec.de/


Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories