Through the lines
This one has been discovered by one of my colleague, Chawalit Tangwongpiboon, while he was searching security holes in eZPublish.
Go on this page, choose a website and type at the end :
/content/browse/2 or /user/register or /ezinfo/about
You can access all the tree of the website, or you can register yourself on the website or just access some information about versions and packages installed on this website.
Where does it come from ? Just from the override/site.ini where the definitions of the siteaccess rules are stored. It actually overrides your own roles and policies for the anonymous role. But by default, eZ allow anonymous user to access those modules. If you want to secure your site, the best way is to forbid access by modifying the rules :
[SiteAccessRules] Rules[]=Access;disable Rules[]=Module;user/register
It will disable the view for this module.
I have tested a lot of sites and almost all let those information and accesses out.
Terrific...
Comments
1. Through the lines
Maxime THOMAS
Friday 17 October 2008
2. better add these lines to your settings/siteaccess/yourpublicsiteaccess
Carlos Revillo
Friday 17 October 2008
3. y'a pas si longtemps !
Damien
Thursday 16 October 2008