The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0rc2! Packages and installation instructions are available at:

This is a release candidate. It is not the final release, and while stability is generally considered good, there may still be issues to resolve between now and the stable release. Use in production with caution.

DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

Changes in this version

Please see our post for 2.2.0rc1 for a list of changes. In addition to those changes, the following have been made:

  • A late change was made to eliminate and/or make optional several dependencies in Zend\Feed and Zend\Validator. While these are generally backwards compatible, we need to note that you can no longer directly use Zend\I18n\Translator\Translator with validators; instead, you must use Zend\Mvc\I18n\Translator. In most cases, this will not present an issue, as the translator object is generally injected via the ValidatorPluginManager, which has already been updated to inject the correct translator object.

    If you were manually injecting your validators with a translator object, please note that you must now use Zend\Mvc\I18n\Translator.

    The changes have some immediate benefits: you can now use Zend\Feed with third-party HTTP clients!

Changelog

Almost 200 patches were applied for 2.2.0. We will not release a full changelog until we create the stable release. In the meantime, you can view a full set of patches applied for 2.2.0 in the 2.2.0 milestone on GitHub:

Thank You!

Please join me in thanking everyone who provided new features and code improvements for this upcoming 2.2.0 release!

Roadmap

We plan to release additional RCs every 3-5 days until we feel the 2.2.0 release is generally stable; we anticipate a stable release sometime next week.

During the RC period, we will be expanding on documentation, and fixing any critical issues brought to our attention.

Again, DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0rc1! Packages and installation instructions are available at:

This is a release candidate. It is not the final release, and while stability is generally considered good, there may still be issues to resolve between now and the stable release. Use in production with caution.

DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

Changes in this version

  • Addition of many more plugin managers and abstract service factories. In order to simplify usage of the ServiceManager as an Inversion of Control container, as well as to provide more flexibility in and consistency in how various framework components are consumed, a number of plugin managers and service factories were created and enabled.

    Among the various plugin managers created are Translator loader manager, a Hydrator plugin manager (allowing named hydrator instances), and an InputFilter manager.

    New factories include a Translator service factory, and factories for both the Session configuration and SessionManager.

    New abstract factories include one for the DB component (allowing you to manage multiple named adapters), Loggers (for having multiple Logger instances), Cache storage (for managing multiple cache backends), and Forms (which makes use of the existing FormElementsPluginManager, as well as the new Hydrator and InputFilter plugin managers).

  • Data Definition Language (DDL) support in Zend\Db. DDL provides the ability to create, alter, and drop tables in a relational database system. Zend\Db now offers abstraction around DDL, and specifically MySQL and ANSI SQL-92; we will gradually add this capability for the other database vendors we support.

  • Authentication: The DB adapter now supports non-RDBMS credential validation.
  • Cache: New storage backend: Redis.
  • Code: The ClassGenerator now has a removeMethod() method.
  • Console: Incremental improvements to layout and colorization of banners and usage messages; fixes for how literal and non-literal matches are returned.
  • DB: New DDL support (noted earlier); many incremental improvements.
  • Filter: New DateTimeFormatter filter.
  • Form: Many incremental improvements to selected elements; new FormAbstractServiceFactory for defining form services; minor improvements to make the form component work with the DI service factory.
  • InputFilter: new CollectionInputFilter for working with form Collections; new InputFilterPluginManager providing integration and services for the ServiceManager.
  • I18n: We removed ext/intl as a hard requirement, and made it only a suggested requirement; the Translator has an optional dependency on the EventManager, providing the ability to tie into "missing message" and "missing translations" events; new country-specific PhoneNumber validator.
  • ModuleManager: Now allows passing actual Module instances (not just names).
  • Navigation: Incremental improvements, particularly to URL generation.
  • MVC: You can now configure the initial set of MVC event listeners in the configuration file; the MVC stack now detects generic HTTP responses when detecting event short circuiting; the default ExceptionStrategy now allows returning JSON; opt-in translatable segment routing; many incremental improvements to the AbstractRestfulController to make it more configurable and extensible; the Forward plugin was refactored to no longer require a ServiceLocatorAware controller, and instead receive the ControllerManager via its factory.
  • Paginator: Support for TableGateway objects.
  • ServiceManager: Incremental improvements; performance optimizations; delegate factories, which provide a way to write factories for objects that replace a service with a decorator; "lazy" factories, allowing the ability to delay factory creation invocation until the moment of first use.
  • Stdlib: Addition of a HydratorAwareInterface; creation of a HydratorPluginManager.
  • SOAP: Major refactor of WSDL generation to make it more maintainable.
  • Validator: New Brazilian IBAN format for IBAN validator; validators now only return unique error messages; improved Maestro detection in CreditCard validator.
  • Version: use the ZF website API for finding the latest version, instead of GitHub.
  • View: Many incremental improvements, primarily to helpers; deprecation of the Placeholder Registry and removal of it from the implemented placeholder system; new explicit factory classes for helpers that have collaborators (making them easier to override/replace).

Changelog

Almost 200 patches were applied for 2.2.0. We will not release a full changelog until we create the stable release. In the meantime, you can view a full set of patches applied for 2.2.0 in the 2.2.0 milestone on GitHub:

Other Announcements

Around a month ago, we migrated Zend Framework 1 to GitHub. At that time, we also migrated active issues created since 1.12.0 to the GitHub issue tracker, and marked our self-hosted issue tracker read-only. We have decided to turn off that issue tracker, but still retain the original issues at their original locations for purposes of history and transparency. You can find information on the change on our issues landing page.

Thank You!

Please join me in thanking everyone who provided new features and code improvements for this upcoming 2.2.0 release!

Roadmap

We plan to release additional RCs every 3-5 days until we feel the 2.2.0 release is generally stable; we anticipate a stable release in the next 2-3 weeks.

During the RC period, we will be expanding on documentation, and fixing any critical issues brought to our attention.

Again, DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.1.5! Packages and installation instructions are available at:

This is a monthly maintenance release.

Notable changes

2.1.5 is a monthly maintenance release, and the bulk of issues resolved were primarily centered around code maintainability - docblocks typos were corrected, internal variables renamed more semantically, etc. However, a few changes are notable:

Manual improvements

Last month, we held our first documentation hunt, resulting in a lot of documentation improvements.

Additionally, we began an effort to provide Zend Framework 1 -> Zend Framework 2 migration information. A preview is available on readthedocs.org.

Changelog

Almost 100 patches were applied to the ZF2 codebase, and dozens to the documentation. The full changelog for 2.1.5 is available:

Thank You!

I'd like to thank everyone who provided issue reports, typo fixes, maintenance improvements, bugfixes, and documentation improvements; your efforts make the framework increasingly better!

Roadmap

Maintenance releases happen monthly on the third Wednesday. Version 2.2.0 will release in the first half of May, with the first release candidate dropping during the week of 29 April - 3 May 2013.

ZF2013-03: Potential SQL injection due to execution of platform-specific SQL containing interpolations

The Zend\Db component in Zend Framework 2 provides platform abstraction, which is used in particular for SQL abstraction. Two methods defined in the platform interface, quoteValue() and quoteValueList(), allow users to manually quote values for creating SQL statements; these are in turn consumed by aspects of the SQL abstraction platform, including Zend\Db\Sql\Sql::getSqlStringForSqlObject(), and the getSqlString() method provided in a number of classes in the Zend\Db\Sql namespace.

While these methods are primarily intended for debugging and logging purposes, developers can use them to produce SQL that is then passed to the driver to execute. Due to a flaw in how the quoteValue() and quoteValueList() methods were written, this can lead to potential SQL injection.

The offending code is located in any of the Zend\Db\Adapter\Platform* objects, particularly the quoteValue() and quoteValueList() methods. These methods did not take into account most of the possible escapable characters that would need to be escaped when attempting to create a quoted value for interpolation into a SQL string. Moreover, these methods did value quoting without extension level coordination which, when available, takes character-sets into account when quoting.

Action Taken

We have made the following changes to the Platform objects:

  • Platform objects now accept the Driver as an optional parameter. This allows quoteValue() to use the driver level quoting/escaping mechanism to provide an "as safe as possible" value.
  • If a driver level quoting/escaping function is not available, the Platform object will throw an E_USER_NOTICE.
  • A new API was introduced for the use cases that need quoting without the possibility of a warning being triggered: Zend\Db\Adapter\Platform\PlatformInterface::quoteTrustedValue().

Recommendations

You are only affected by this as an issue if you directly consume one of the following API's in your code, and execute the results with your database adapter:

  • Zend\Db\Adapter\Platform*::quoteValue()
  • Zend\Db\Adapter\Platform*::quoteValueList()
  • Zend\Db\Sql\Sql->getSqlStringForSqlObject()
  • Zend\Db\Sql\Select->getSqlString()
  • Zend\Db\Sql\Insert->getSqlString()
  • Zend\Db\Sql\Update->getSqlString()
  • Zend\Db\Sql\Delete->getSqlString()

ZF2's Zend\Db and other components that utilize Zend\Db never directly rely on interpolation of values into SQL strings. This means that unless you find any of the above calls in your code, or any code that effectively calls quoteValue(), this issue does not affect you.

If you do, however, we recommend immediately upgrading to either version 2.0.8 or 2.1.4.

While this advice can be found in many places, it is always worth repeating: you should never rely on interpolation of values into SQL strings; always use prepared statements / parameterization / extension specific value binding.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Axel Helmert for alerting us to the issue
  • Ralph Schindler for implementing a solution

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2013-02: Potential Information Disclosure and Insufficient Entropy vulnerabilities in Zend\Math\Rand and Zend\Validate\Csrf Components

In Zend Framework 2, the Zend\Math\Rand component generates random bytes using the OpenSSL or Mcrypt extensions when available but will otherwise use PHP's mt_rand() function as a fallback. All outputs from mt_rand() are predictable for the same PHP process if an attacker can brute force the seed used by the Marsenne-Twister algorithm in a Seed Recovery Attack. This attack can be successfully applied with minimum effort if the attacker has access to either a random number from mt_rand() or a Session ID generated without using additional entropy. This makes mt_rand() unsuitable for generating non-trivial random bytes since it has Insufficient Entropy to protect against brute force attacks on the seed.

The Zend\Validate\Csrf component generates CSRF tokens by SHA1 hashing a salt, random number possibly generated using mt_rand() and a form name. Where the salt is known, an attacker can brute force the SHA1 hash with minimum effort to discover the random number when mt_rand() is utilised as a fallback to the OpenSSL and Mcrypt extensions. This constitutes an Information Disclosure where the recovered random number may itself be brute forced to recover the seed value and predict the output of other mt_rand() calls for the same PHP process. This may potentially lead to vulnerabilities in areas of an application where mt_rand() calls exist beyond the scope of Zend Framework.

Action Taken

Zend Framework have revised the Zend\Math\Rand component to replace the current mt_rand() fallback for OpenSSL/Mcrypt with Anthony Ferrara's RandomLib, incorporating an additional entropy source based on source code published by George Argyros. The new fallback collects entropy from numerous sources other than PHP's internal seed mechanism and extracts random bytes from the resulting mixed entropy pool.

Recommendations

If you are using either Zend\Math\Rand or Zend\Validate\Csrf, do not have either the OpenSSL or Mcrypt extensions installed in PHP, and are on a non-Unix-like system, we recommend upgrading immediately to version 2.0.8 or 2.1.4.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Pádraic Brady for identifying and reporting the issue, as well as providing a patch to resolve the issue
  • Enrico Zimuel for collaborating on and reviewing the solution

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2013-01: Route Parameter Injection Via Query String in Zend\Mvc

In Zend Framework 2, Zend\Mvc\Router\Http\Query is used primarily to allow appending query strings to URLs when assembled. However, due to the fact that it captures any query parameters into the RouteMatch, and the fact that RouteMatch parameters are merged with any parent routes, this can lead to overriding already captured routing parameters, bypassing constraints defined in the parents.

As an example, consider the following route definition:

array(
    'user' => array(
        'type' => 'segment',
        'options' => array(
            'route' => '/user/:key',
            'defaults' => array(
                'controller' => 'UserController',
                'action'     => 'show-action',
            ),
            'constraints' => array(
                'key' => '[a-z0-9]+',
            ),
        ),
        'child_routes' => array(
            'query' => array('type' => 'query'),
        ),
    ),
)

If the request URI was /user/foo/?controller=SecretController&key=invalid_value, the RouteMatch returned after routing would contain the following:

array(
    'controller' => 'SecretController',
    'action'     => 'show-action',
    'key'        => 'invalid_value',
)

This would lead to execution of a different controller than intended, with a value for the key parameter that bypassed the constraints outlined in the parent route.

Action Taken

Zend Framework 2.1 introduced changes to the router implementation that now allows passing both query string values and fragment values during URI assembly, effectively obsoleting the original use case of the Query route. As an example, you can now do the following:

$url = $router->assemble(array(
    'name' => 'foo',
), array(
    'query' => array(
        'page' => 3,
        'sort' => 'DESC',
    ), 
    // or: 'query' => 'page=3&sort=DESC'
));

// via URL helper/plugin:
$rendererOrController->url('foo', array(), array('query' => $request->getQuery()));

As such, for versions 2.0.8 and 2.1.4, we have marked Zend\Mvc\Router\Http\Query deprecated. Additionally, we have modified the code in its match() method to no longer pass the query parameters to the RouteMatch, eliminating the possibility of route parameter injection entirely.

Recommendations

If you are using the Query route in Zend Framework 2, we recommend upgrading to Zend Framework 2.0.8 or 2.1.4 immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • codemagician for alerting us to the issue
  • Ben Scholzen for providing the solution

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2012-05: Potential XML eXternal Entity injection vectors in Zend Framework 1 Zend_Feed component

Zend_Feed_Rss and Zend_Feed_Atom were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections.

A similar issue was fixed for 1.11.13 and 1.12.0, in the Zend_Feed::import() factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.

Action Taken

A patch was applied that removes the XXE vector by calling libxml_disable_entity_loader() before attempting to parse the feed via DOMDocument::loadXML().

Recommendations

If you are using any of the components listed, and, in particular, were directly instantiating them, we recommend upgrading to either version 1.11.15 or 1.12.1 or greater.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Yury Dyachenko at Positive Research Center

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2012-04: Potential Proxy Injection Vulnerabilities in Multiple Zend Framework 2 Components

Zend\Session\Validator\RemoteAddr and Zend\View\Helper\ServerUrl were found to be improperly parsing HTTP headers for proxy information, which could potentially allow an attacker to spoof a proxied IP or host name.

In Zend\Session\Validator\RemoteAddr, if the client is behind a proxy server, the detection of the proxy URL was incorrect, and could lead to invalid results on subsequent lookups.

In Zend\View\Helper\ServerUrl, if the server lives behind a proxy, the helper would always generate a URL based on the proxy host, regardless of whether or not this was desired; additionally, it did not take into account the proxy port or protocol, if provided.

Action Taken

A new class, Zend\Http\PhpEnvironment\RemoteAddress, was developed to provide reusable code surrounding the detection of a client IP via proxy headers, and Zend\Session\Validator\RemoteAddr was refactored to consume this class. This code:

  • no longer searches against the non-standard Client-Ip header
  • allows specifying the specific header to check against for proxy detection
  • allows specifying a list of trusted proxy servers against which to mask any detected proxy IPs
  • properly selects the right-most IP address from the list of proxy IPs

The ServerUrl view helper was modified as follows:

  • a flag was introduced to enable/disable proxy detection
  • proxy detection is disabled by default
  • in addition to using the X-Forwarded-Host header, support for detecting the proxy port (via the

X-Forwarded-Port header) and proxy protocol (via the X-Forwarded-Proto header) was added.

This patch has been applied starting in versions 2.0.5 of Zend Framework, as well as to the 2.1 development branch.

Recommendations

If you are using any of the components listed, we recommend upgrading to 2.0.5 or greater.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Fabien Potencier

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2012-03: Potential XSS Vectors in Multiple Zend Framework 2 Components

Zend\Debug, Zend\Feed\PubSubHubbub, Zend\Log\Formatter\Xml, Zend\Tag\Cloud\Decorator, Zend\Uri, Zend\View\Helper\HeadStyle, Zend\View\Helper\Navigation\Sitemap, and Zend\View\Helper\Placeholder\Container\AbstractStandalone were not using Zend\Escaper when escaping HTML, HTML attributes, and/or URLs. While most were performing some escaping, because they were not using context-appropriate escaping mechanisms, they could potentially be exploited to perform Cross Site Scripting (XSS) attacks.

Action Taken

Each component and/or class was evaluated to determine which context-appropriate escaping mechanism should be used, and the appropriate method from Zend\Escaper\Escaper was then used. In most cases, this also involved composing the Escaper class as an injectible dependency.

In the case of Zend\Tag\Cloud\Decorator, the HtmlCloud and HtmlTag decorators were found to lack validation of user-provided HTML element and attribute names. Logic was added to validate these and raise an exception if invalid.

This patch has been applied starting in versions 2.0.1 of Zend Framework, as well as to the 2.1 development branch.

Recommendations

If you are using any of the components listed, we recommend upgrading to 2.0.1 or greater.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Robert Basic

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2012-02: Denial of Service vector via XEE injection

Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

Action Taken

All locations where SimpleXML or DOMDocument were used with user input were patched. The patches mitigate the XEE vector by first calling libxml_disable_entity_loader(), and then looping through the DOMDocument children, testing if any are of type XML_DOCUMENT_TYPE_NODE; if so, an exception is raised and execution is halted.

Where SimpleXML is used, the XML is loaded first via DOMDocument and scanned as noted above; once validated, the DOMDocument instance is passed to simplexml_import_dom().

This patch has been applied starting in versions 1.11.13 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and first released with 2.0.0rc4).

Recommendations

If you are using either Zend_Dom, Zend_Feed, Zend_Soap or Zend_XmlRpc in your projects, we recommend immediately upgrading to 1.11.13 or greater.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)