ZF2010-07: Potential Security Issues in Bundled Dojo Library

Executive Summary

In mid-March, 2010, the Dojo Foundation issued a Security Advisory indicating potential security issues with specific files in Dojo Toolkit. Details of the advisory may be found on the Dojo website:

In particular, several files in the Dojo tree were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the tree when deploying to production.

Action Taken

Since the files in question have been patched on the Dojo release branches, the only action needed was a new release that contains a new build of Dojo based on the current release branch. In addition, code was added to the Zend Framework Dojo build script to strip out all PHP files as an extra precaution.

Recommendations

This particular vulnerability only affects those users who:

  • Use Dojo, and more specifically,
  • Use the Dojo build supplied by Zend Framework, or
  • Have not updated their site already based on the recommendations of the recent announcement by the Dojo Foundation.

If you fall into one of these categories, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately, and redeploying Dojo from the Dojo packages supplied with Zend Framework:

  • 1.10.3
  • 1.9.8

Alternately, upgrade from official Dojo packages, following the guidelines in the aforementioned advisory from the Dojo Foundation.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Paul Verhoeven, for alerting us to the original Dojo advisory
  • Peter Higgins and James Burke, from the Dojo Toolkit team, for advice on how best to package Zend Framework's Dojo distribution

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json

Executive Summary

Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string.

Action Taken

Zend_Json_Encoder was patched to escape the solidus character when encoding PHP strings to JSON.

Recommendations

This particular vulnerability only affects those users who are either (a) using Zend_Json_Encoder directly, (b) requesting native encoding instead of usage of ext/json (e.g., by enabling the static $useBuiltinEncoderDecoder property of Zend_Json), or (c) on systems where ext/json is unavailable (e.g. RHEL, CentOS). If you are affected, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately.

  • 1.9.7
  • 1.8.5
  • 1.7.9

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2010-05: Potential XSS vector in Zend_Service_ReCaptcha_MailHide

Executive Summary

Zend_Service_ReCaptcha_MailHide had a potential XSS vulnerability. Due to the fact that the email address was never validated, and because its use of htmlentities() did not include the encoding argument, it was potentially possible for a malicious user aware of the issue to inject a specially crafted multibyte string as an attack via the CAPTCHA's email argument.

Action Taken

An EmailAddress validator was added by default to Zend_Service_ReCaptcha_MailHide (which may be replaced with any Zend_Validate_interface implementation), and the submitted email address is now passed through this validator prior to performing any markup generation. Additionally, accessors for setting and retrieving the encoding to use with htmlentities() have been provided, with a default value of UTF-8 used.

Recommendations

If you use Zend_Service_ReCaptcha_MailHide, it is strongly recommended that you upgrade to either the latest available Zend Framework release, or one of the following releases, immediately:

  • 1.9.7
  • 1.8.5
  • 1.7.9

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer

Executive Summary

Zend_File_Transfer had a potential MIME type injection vulnerability for file uploads. In certain situations where either PHP's ext/finfo extension is not installed and the mime_content_type() function was not available on a system, Zend_File_Transfer would use the user provided value for the type embedded inside the $_FILES superglobal. Additionally, in cases where the functionality was available, but where a type could not be determined by one of them, Zend_File_Transfer would also fallback on the user provided type. Using user provided information for a file's MIME type in uploads is considered an insecure practice, as it provides attack vectors by malicious users.

Action Taken

This vulnerability has been fixed by returning "application/octet" in situations where the MIME type cannot be detected securely by PHP.

Recommendations

If you use this component, or other components that rely on it (e.g., Zend_Form_Element_File), we strongly recommend upgrading to the most current version of Zend Framework available, or one of the following versions.

  • 1.9.7
  • 1.8.5

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken
  • Thomas Weidner, who provided the patch used to resolve the issue issue tracker

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)