Name of the Vulnerable Software and Affected Versions eZ Platform and Legacy (affected versions not specified)

Description The issue is related to how uploaded PHP and PHAR files are handled. It consists of two parts: web server configuration and disabling the PHAR stream wrapper. The sample web server configuration can allow the execution of uploaded PHP/PHAR code, which can be abused to allow privilege escalation and breach of content access controls. The PHAR stream wrapper can execute crafted PHAR archives without being specifically asked to, causing deserialization and execution. This can happen even if the file name suffix isn't ".phar". Any site that allows file uploads is at risk.

Recommendations To resolve the issue, ensure that your web server will not execute files in directories where files may be uploaded, such as web/var/ and ezpublish legacy/var/. For Apache, use the following configuration to return HTTP 403 Forbidden for a number of executable file types in your eZ Platform var directory:

RewriteEngine On
RewriteRule ^var/.*(?i).(php3?|phar|phtml|sh|exe|pl|bin)$ - [F]

For Nginx, use the following configuration:

location ~ ^/var/.*(?i).(php3?|phar|phtml|sh|exe|pl|bin)$ {
 return 403;
}

Disable the PHAR stream wrapper within eZ Platform by modifying the following files: