ezsystems/ezpublish-legacy has a SQL injection in dfscleanup
Description
NB: All tags and branches in this repository are past their end of life, so the vulnerability will not be fixed. The advisory is posted on the request of the researcher, for the information of anyone who might still use this software.
Impact
There is a security vulnerability in eZ Publish Legacy, affecting the dfscleanup.php script and the _getFileList function of the eZDFSFileHandlerMySQLiBackend class (kernel/private/classes/clusterfilehandlers/dfsbackends/mysqli.php). The vulnerability allows an attacker with local shell access and sufficient privileges to run dfscleanup.php to perform a union-based SQL injection against the eZ Publish MySQL database, potentially exposing sensitive data such as user credentials.
It is known to affect the branch 2019.03, and it may well affect other branches.
Credit
The issue was found and reported by security auditor Timothé Ridel from Advens: https://www.advens.com/
Patches
None, the software is past its end of life.
Workarounds
None.
### Resources - Report by Advens: https://github.com/Goaterino/ezpublish-legacy-lab/blob/main/SQL%20injection%20and%20arbitrary%20file%20deletion%20in%20dfscleanup.md
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A union-based SQL injection in eZ Publish Legacy's dfscleanup.php script allows local attackers to expose sensitive database data.
Vulnerability
The vulnerability exists in dfscleanup.php and the _getFileList function of the eZDFSFileHandlerMySQLiBackend class (kernel/private/classes/clusterfilehandlers/dfsbackends/mysqli.php) in eZ Publish Legacy. The bug is a union-based SQL injection reachable only from the command line. It is confirmed to affect the 2019.03 branch, with other branches possibly affected [1][2]. The software is past its end of life, with no plans to release a fix.
Exploitation
An attacker must have local shell access to the server and sufficient privileges to execute the dfscleanup.php script. With that access, the attacker can inject malicious SQL via a crafted union query in the _getFileList function, which interacts with the eZ Publish MySQL database [1][2]. No authentication or user interaction beyond having shell access is required.
Impact
Successful exploitation allows the attacker to read arbitrary data from the MySQL database, including potentially sensitive information such as user credentials. The attack results in information disclosure, compromising the confidentiality of the application's data. The attacker does not escalate privileges on the OS, only gains access to the database contents [1][2].
Mitigation
There is no fix available, and no workarounds are provided. The software (branch 2019.03 and likely others) is past its end of life and will not receive a security patch [1][2]. The only effective mitigation is to discontinue use of the product or ensure that no untrusted users have shell access to the server where it runs.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 2019.03
- Range: <= 2019.03
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `_getFileList` function in `eZDFSFileHandlerMySQLiBackend` does not properly sanitize input, allowing a union-based SQL injection when invoked via `dfscleanup.php`."
Attack vector
An attacker must have local shell access and sufficient privileges to run the `dfscleanup.php` script [ref_id=1][ref_id=2]. By crafting malicious input that reaches the `_getFileList` function, the attacker can perform a union-based SQL injection against the eZ Publish MySQL database [ref_id=1][ref_id=2]. This could expose sensitive data such as user credentials [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in the `dfscleanup.php` script and the `_getFileList` function of the `eZDFSFileHandlerMySQLiBackend` class in `kernel/private/classes/clusterfilehandlers/dfsbackends/mysqli.php` [ref_id=1][ref_id=2].
What the fix does
No patch is available because all tags and branches of the repository are past their end of life and the vulnerability will not be fixed [ref_id=1][ref_id=2]. The advisory recommends that anyone still using this software be aware of the risk, but no remediation guidance is provided [ref_id=1][ref_id=2].
Preconditions
- authAttacker must have local shell access to the server
- authAttacker must have sufficient privileges to execute the dfscleanup.php script
- configThe eZ Publish Legacy installation must use the affected branch (known: 2019.03)
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.