oss-sec mailing list archives

CVE request: eZ Publish: insecure direct object reference

From: Luc ABRIC <luc.abric () oppida fr>
Date: Mon, 19 Mar 2012 09:06:21 +0000


My initial CVE ID request was dropped because it was missing some details. Here comes a re-submission.

After posting to oss-security I was asked a few questions by Kurt Seifried from Redhat SRT while the vendor was 
contacted by Secunia asking for pretty much the same informations. Secunia then decided it wasn't their role to handle 
this vulnerability.
I don't know if that's part of the process but I feel like you should know to avoid any duplicated work.

1) Email address of requester
yann.michard () oppida fr, luc.abric () oppida fr & jkn () ez no.
Yann MICHARD discovered the vulnerability, so all the credits goes to him.

2) Software name and optionally vendor name
Vendor: Ez
Product name: Ez Publish
Editions: both Enterprise & Community

3) At least one of (to determine is this a security issue):
  1. Type of vulnerability
OWASP A4: Insecure direct object reference

  2. Exploitation vectors
Access to the vulnerable website (no need for any credentials)

  3. Attack outcome
A browser is enough to execute the attack.

4) For Open Source at least one of:
  1. Link to vulnerable source code or fix Not available yet.

  2. Link to source code change log
Not available yet.

  3. Link to security advisory
Not available yet.

  4. Link to bug entry
The vendor does not want to release more details until a fix is pushed to the clients

  5. Request comes from project member (a.k.a. "trust me, it's a problem") Jostein Knudsen <jkn () ez no> from Ez can 
confirm the vulnerability.

5) Affected version(s) (3.2.4, 3.x, current version, all current releases, something) The whole 4.x serie it seems (4.1 
to 4.6 from the bug entry).

6) Whether or not this has been previously requested (i.e. on OSS-Sec or to cve-assign) Well yeah but it seems that the 
request didn't have enough information.

7) Is this an Open Source or commercial software request Both, the affected software has 2 editions, one open-source, 
one commercial.

8) Is this an embargoed issue (if yes and commercial: send to cve-assign, if yes and open source: send to vs-sec?) Not 
really sure what you mean by embargoed.
The French government asked us not do disclose any details until a fix is available AND installed on their systems 
because it affects some high profile websites.
We didn't plan on releasing any details before the fix anyway.

9) IF multiple issues are listed please list affected versions for each issue and/or who reported them (so we can 
determine CVE split/merge).
It's the first issue we're publishing regarding this application.

IT Security Expert

6 avenue du Vieil Etang - Bâtiment B
78180 Montigny-le-Bretonneux
Phone: +33 (0)1 30 14 19 00
Fax:       +33 (0)1 30 14 19 09
Mobile: +33 (0)6 26 87 62 14
luc.abric () oppida fr


Current thread: