GHSA-44m4-9cjp-j587: 
PHP vulnerability analysis and mitigation

A high-severity vulnerability was identified in ezsystems/ezpublish-kernel versions 7.5.* before 7.5.26, affecting image filename handling. The vulnerability was discovered and reported by Christoph Rottermanner and Jonas Roller from it.sec, and was publicly disclosed on January 18, 2022. The issue affects Ibexa DXP v3.3 and eZ Platform v2.5 systems (Ibexa Advisory, GitHub Advisory).

The vulnerability consists of two main issues related to image file handling. The first issue involves potential injection attacks due to insufficient sanitization of original file names. The second issue stems from direct access to images being not access controlled, which was intentionally designed for performance reasons but creates a security weakness. The vulnerability is tracked as GHSA-44m4-9cjp-j587 and has been rated as high severity (Ibexa Advisory).

The vulnerability could allow attackers with image upload permissions to perform injection attacks through maliciously crafted filenames. Additionally, unauthorized users could potentially access images not meant to be publicly accessible if they could correctly deduce or guess the image path and filename through methods such as dictionary attacks (Ibexa Advisory).

The vulnerability has been patched in ezsystems/ezpublish-kernel v7.5.26 and ezsystems/ezplatform-kernel v1.3.12. The fix implements a new approach to image file naming, including better filename sanitization and prepending a 12-character secure random hash to make unauthorized access more difficult. After installing the fix, administrators should run 'php bin/console ibexa:images:normalize-paths' to ensure existing images are properly sanitized and hashed. Additionally, content cache (HTTP and persistence cache) should be cleared, and 'php bin/console liip:imagine:cache:remove' should be executed (Ibexa Advisory).