This one has been discovered by one of my colleague, Chawalit Tangwongpiboon, while he was searching security holes in eZPublish.

Go on this page, choose a website and type at the end :

/content/browse/2

or

/user/register

or

/ezinfo/about

You can access all the tree of the website, or you can register yourself on the website or just access some information about versions and packages installed on this website.

Where does it come from ? Just from the override/site.ini where the definitions of the siteaccess rules are stored. It actually overrides your own roles and policies for the anonymous role. But by default, eZ allow anonymous user to access those modules. If you want to secure your site, the best way is to forbid access by modifying the rules :

[SiteAccessRules]
 Rules[]=Access;disable
 Rules[]=Module;user/register

It will disable the view for this module.

I have tested a lot of sites and almost all let those information and accesses out.

Terrific...