Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B4
Typecomposer
Namespaceezsystems
Nameezpublish-legacy
Version2018.6.1+4
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version2019.3.6+1
Latest_non_vulnerable_version2019.3.6+1
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-f41r-p9hu-hyhx
vulnerability_id VCID-f41r-p9hu-hyhx
summary 
Ez Platform and Legacy are prone to an insecure interpretation of PHP/PHAR uploads
The eZ Platform and Legacy are affected by an issue related to how uploaded PHP and PHAR files are handled, and consists of two parts: 1. Web server configuration, and 2. Disabling the PHAR stream wrapper.

**1. WEB SERVER CONFIGURATION**
The sample web server configuration in our documentation can in some cases allow the execution of uploaded PHP/PHAR code. This can be abused to allow priviledge escalation and breach of content access controls, among other things. Please ensure that your web server will not execute files in directories were files may be uploaded, such as web/var/ and ezpublish_legacy/var/

As an example, here is how you can make Apache return HTTP 403 Forbidden for a number of executable file types in your eZ Platform var directory. Please adapt it to your needs. It is then possible to enable logging of HTTP 403 in a separate log file if you wish, you could do this to see if someone is trying to abuse the server.
```
RewriteEngine On
references
0
reference_url https://github.com/ezsystems/ezplatform/commit/9a0c52dc4535e4b3ce379f80222dc53f705a2cfd
reference_id
reference_type
scores
url https://github.com/ezsystems/ezplatform/commit/9a0c52dc4535e4b3ce379f80222dc53f705a2cfd
1
reference_url https://github.com/ezsystems/ezpublish-legacy
reference_id
reference_type
scores
url https://github.com/ezsystems/ezpublish-legacy
2
reference_url https://github.com/ezsystems/ezpublish-legacy/commit/d21957bf202b091ab39dfb5be300f6c30be3933e
reference_id
reference_type
scores
url https://github.com/ezsystems/ezpublish-legacy/commit/d21957bf202b091ab39dfb5be300f6c30be3933e
3
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-21-1.yaml
reference_id
reference_type
scores
url https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-21-1.yaml
4
reference_url https://web.archive.org/web/20210614192208/https://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads
reference_id
reference_type
scores
url https://web.archive.org/web/20210614192208/https://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads
5
reference_url https://github.com/advisories/GHSA-pqjm-xcp8-wgmm
reference_id GHSA-pqjm-xcp8-wgmm
reference_type
scores
url https://github.com/advisories/GHSA-pqjm-xcp8-wgmm
fixed_packages
0
url pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B3
purl pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%252B3
1
url pkg:composer/ezsystems/ezpublish-legacy@5.3.12%2B6
purl pkg:composer/ezsystems/ezpublish-legacy@5.3.12%2B6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@5.3.12%252B6
2
url pkg:composer/ezsystems/ezpublish-legacy@5.4.12%2B3
purl pkg:composer/ezsystems/ezpublish-legacy@5.4.12%2B3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@5.4.12%252B3
3
url pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B3
purl pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B3
4
url pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B4
purl pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B4
aliases GHSA-pqjm-xcp8-wgmm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f41r-p9hu-hyhx
1
url VCID-ufw5-emg4-cqd6
vulnerability_id VCID-ufw5-emg4-cqd6
summary EZSA-2018-006 XSS vulnerability in 'disabled module' error template
references
0
reference_url http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template
reference_id
reference_type
scores
url http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template
fixed_packages
0
url pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B2
purl pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B2
1
url pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B4
purl pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B4
2
url pkg:composer/ezsystems/ezpublish-legacy@2019.3.0
purl pkg:composer/ezsystems/ezpublish-legacy@2019.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6cyy-uhhk-63aa
1
vulnerability VCID-qymv-b76a-2yh2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.0
aliases GMS-2018-66
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ufw5-emg4-cqd6
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B4