eZ Publish series 4.x up to 4.6 comes equipped with an unique feature – vital user information can easily be obtained with no hassle. It comes with a feature called “ezjscnode” already enabled by default and when enabled this little gem will happily provide us with information about every existing object.  When viewing users it outputs a string containing the username, e-mail address, password hash and which hashing algorithm used.

How to

This feature is easily accessible by using a plain browser. But for this demonstration I’ll show a piece of PHP code in order to show how easy it is to abuse it:

for($i=0; $i
    $content = file_get_contents("MY_URL/ezjscore/call/ezjscnode::load::{$i}::all?ContentType=json");
}

Restricting access

It is trivial to crack a weak password if you already know the hashing algorithm. So, how do we secure it? Disable it in ezjscore.ini or apply secure permissions on it.

Advertisements