CVE-2020-10806
📋 TL;DR
This vulnerability allows remote attackers to upload and execute arbitrary PHP code on eZ Publish/eZ Platform servers. Attackers can achieve full server compromise by uploading malicious PHP files through file upload functionality. All eZ Publish/eZ Platform installations with vulnerable versions are affected unless specifically configured to restrict PHP execution.
💻 Affected Systems
- eZ Publish Kernel
- eZ Publish Legacy
- eZ Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full control over the web server, allowing data theft, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to website defacement, data exfiltration, or deployment of malware/ransomware on the server.
If Mitigated
No impact if proper vhost configuration restricts execution to app.php only or if file uploads are disabled.
🎯 Exploit Status
Exploitation requires file upload capability but no authentication. Simple PHP file upload leads to RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: eZ Publish Kernel: 5.4.14.1, 6.13.6.2, 7.5.6.2; eZ Publish Legacy: 5.4.14.1, 2017.12.7.2, 2019.03.4.2
Vendor Advisory: https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads
Restart Required: No
Instructions:
1. Identify your eZ Publish/eZ Platform version. 2. Update to the patched version via composer update or package manager. 3. Clear cache and verify the update.
🔧 Temporary Workarounds
Restrict PHP execution in vhost configuration
allConfigure web server to only allow execution of app.php, blocking direct PHP file execution
# Apache example: <FilesMatch "\.php$">
# Require all denied
# </FilesMatch>
# <Files "app.php">
# Require all granted
# </Files>
# Nginx example: location ~ \.php$ {
# deny all;
# }
# location = /app.php {
# fastcgi_pass ...
# }
Disable file upload functionality
allTemporarily disable all file upload features in eZ Publish configuration
# Edit ezpublish.yml or similar config file to disable upload handlers
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block PHP file uploads and execution attempts
- Restrict network access to eZ Publish administration interfaces and file upload endpoints
🔍 How to Verify
Check if Vulnerable:
Check eZ Publish version via admin panel or by examining composer.json/installed.json filesCheck Version:
php bin/console ezplatform:version (for eZ Platform) or check composer.lockVerify Fix Applied:
Verify version is updated to patched version and test file upload functionality with PHP files📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with .php extensions
- POST requests to file upload endpoints with PHP content
- Execution of uploaded files via direct URL access
Network Indicators:
- HTTP requests uploading .php files to eZ endpoints
- Subsequent requests to uploaded PHP files
SIEM Query:
source="web_access_logs" AND (uri_path="*upload*" AND file_extension=".php") OR (uri_path="*.php" AND referrer="*upload*")