Name of the Vulnerable Software and Affected Versions eZ Platform and eZ Publish Legacy (affected versions not specified)

Description The issue concerns the handling of file uploads in eZ Platform and eZ Publish Legacy, potentially leading to remote code execution (RCE) if exploited. An attacker would need access to file uploads to exploit this issue. The use of recommended vhost configurations for Nginx and Apache can protect against this vulnerability. However, the built-in PHP webserver remains vulnerable as it does not utilize such configurations and should only be used for development purposes. A fix has been implemented, including a blacklist feature for uploaded filenames, such as ".php", which is configurable. The blacklist blocks file types like php, php3, phar, phpt, pht, phtml, pgif by default. Additionally, a new block against path traversal attacks has been introduced.

Recommendations For eZ Platform, update the ezsettings.default.io.file storage.file type blacklist in eZ/Bundle/EzPublishCoreBundle/Resources/config/default settings.yml to include any additional file types that should be blocked from upload. For eZ Publish Legacy, update the FileExtensionBlackList in settings/file.ini to include any additional file types that should be blocked from upload. As a temporary workaround, consider restricting access to file uploads to trusted users only, until the fix is fully implemented. Use the recommended vhost configurations for Nginx and Apache to protect against this vulnerability. Avoid using the built-in PHP webserver for production environments, as it remains vulnerable to this issue.