GHSA-9895-26wr-4fgv: 
PHP vulnerability analysis and mitigation

A remote code execution (RCE) vulnerability was discovered in eZ Platform and eZ Publish Legacy's file upload handling mechanism. The vulnerability, identified as EZSA-2020-001, was disclosed on March 3, 2020, affecting multiple versions including ezsystems/ezpublish-kernel (v7.5.6, v6.13.6, v5.4.14) and ezsystems/ezpublish-legacy (v2019.03.4, v2017.12.7, v5.4.14). The vulnerability could potentially allow attackers with file upload permissions to execute malicious code remotely (EZ Platform).

The vulnerability stems from improper handling of file uploads that could lead to remote code execution. While the vulnerability requires access to file upload functionality, it primarily affects systems not using the recommended vhost configuration. The issue is mitigated in systems using the recommended Nginx or Apache configurations, which restrict PHP file execution to specific files. However, the PHP built-in webserver remains vulnerable as it doesn't support these configuration restrictions (EZ Platform).

If exploited, the vulnerability could allow attackers to execute arbitrary code remotely on affected systems. The severity is rated as High, though the impact is limited to environments where attackers have file upload permissions and where recommended security configurations are not in place (GitHub Advisory).

The vulnerability was patched in versions ezsystems/ezpublish-kernel (v7.5.6.2, v6.13.6.2, v5.4.14.1) and ezsystems/ezpublish-legacy (v2019.03.4.2, v2017.12.7.2, v5.4.14.1). The fix implements a configurable blacklist feature for uploaded filenames, blocking potentially dangerous file extensions including php, php3, phar, phpt, pht, phtml, and pgif. Additionally, protection against path traversal attacks was implemented (EZ Platform).