This Security Update fixes a spoofing/phishing vulnerability where an attacker, using a cloned web site, could get users to login to your web site and then be redirected back to the the clone site, where they could be tricked to give up personal information like passwords. The update ensures that the redirect is verified against a whitelist of approved site URLs. We strongly recommend that you install this Security Update as soon as possible. If your hostname(s) are not listed in the HostMatchMapItems or HostUriMatchMapItems settings in your site.ini override file, you need to enter it/them in the AllowedRedirectHosts setting. The AllowedRedirectHosts setting is new, so you need to add it, under the [SiteSettings] section. Here is an example:
# Array of allowed hosts for redirects with full URL from eZ Publish modules. # Note: Current host and configured hosts (HostMatchMapItems/HostUriMatchMapItems) are always considered trusted AllowedRedirectHosts[] AllowedRedirectHosts[]=www.atrustedhost.com
Important: You need to do this before you install the patch. Without this action, login will fail! The only exception is when your hostname(s) are already listed in the HostMatchMapItems or HostUriMatchMapItems settings.
Patch for eZ Publish: https://github.com/ezsystems/ezpublish-legacy/commit/63ac69894d3542d7e907a6f4f556f8b368637f11