Die siberas GmbH ein auf Sicherheitsanalysen und Penetrationstests spezialisiertes Beratungsunternehmen, welches Sie herstellerunabhängig und kompetent im Bereich IT-Sicherheit berät.


EZ Publish "search" function SQL Injections

Reference ID: SSA-1007
Publication date: 25.03.2010
Severity: critical
Discovered by: Sebastian Apelt

Affected versions: >= 3.7.0 and <= 4.2.0

Two SQL-Injection vulnerabilities exist in the search functionality of EZ Publish. The parameters “SectionID” and “SearchTimestamp” can both be passed to the application as arrays. Since none of the SectionID array members undergo further validation it is possible for an attacker to inject malicious SQL statements into the final search query. The same problem exists for the SearchTimestamp array. The second array member gets assigned to the publishedDateStop variable which will later be built into the search query without sanitization. Both injections can be used to get access to sensitive data contained in the databases which are accessible to the current db-user. The search function is usually accessible by everyone, further aggravating the serious injection flaw. Please apply the patch ASAP since it is likely that an exploit will appear on the net soon.

EZ Publish advisory
Patch: 16397.diff