ZF2012-01: Local file disclosure via XXE injection in Zend_XmlRpc

Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

Action Taken

The Request and Response implementations in Zend_XmlRpc were patched to ensure libxml_disable_entity_loader() is invoked prior to instantiating any SimpleXML objects. This disables XXE parsing, and thus disables the attack vector.

This patch has been applied starting in versions 1.11.12 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and will be included starting with the 2.0.0beta5 release).

Recommendations

If you are using either Zend_XmlRpc_Server or Zend_XmlRpc_Client in your projects, we recommend immediately upgrading to 1.11.12 or greater.

Update

Additional attack vectors were identified in Zend_Dom, Zend_Feed, and Zend_Soap, and patched in an identical manner.

The patches for these components are included in versions 1.11.13 and 1.12.0 of Zend Framework, and ported to the upcoming version 2.0.0 development branch (released with 2.0.0rc4). If you are using any of the affected components, we recommend upgrading to 1.11.13 or greater immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Johannes Greil
  • Kestutis Gudinavicius

Both from SEC Consult Vulnerability Lab (www.sec-consult.com).

  • Pádraic Brady, for identifying the additional vectors in Zend_Dom, Zend_Feed, and Zend_Soap

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2011-02: Potential SQL Injection Vector When Using PDO_MySql

Executive Summary

Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue, which is described in more detail here:

The PHP Group included a feature in PHP 5.3.6+ that allows any character set information to be passed as part of the DSN in PDO to allow both the database as well as the C-level driver to be aware of which charset is in use which is of special importance when PDO's quoting mechanisms are utilized, which Zend Framework also relies on.

Action Taken

Zend_Db was patched to ensure that any charset information provided to the PDO MySQL adapter will be sent to PDO both as part of the DSN as well as in a SET NAMES query. This ensures that any developer using ZF on PHP 5.3.6+ while using non-ASCII compatible encodings is safe from SQL injection while using the PDO's quoting mechanisms or emulated prepared statements.

The patch has been applied starting in versions 1.11.6 and 1.10.9 of Zend Framework.

Recommendations

If you are using non-ASCII compatible encodings, such as GBK, in conjunction with PDO's MySQL adapter, we strongly urge you to consider upgrading to at least PHP 5.3.6 and use Zend Framework version 1.11.6 or greater, or 1.10.9 if still using the 1.10 series of releases.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Anthony Ferrara

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2011-01: Potential XSS in Development Environment Error View Script

Executive Summary

The default error handling view script generated using Zend_Tool failed to escape request parameters when run in the "development" configuration environment, providing a potential XSS attack vector.

Action Taken

Zend_Tool_Project_Context_Zf_ViewScriptFile was patched such that the view script template now calls the escape() method on dumped request variables.

Recommendations

This particular vulnerability affects only those users who (a) are using Zend_Tool (aka the zf CLI) to generate their ErrorController and view script, and (b) are running that code under the "development" configuration environment on a public-facing web server.

If you are running in any environment other than "development", the issue will not present.

There are three approaches you can take:

Make sure you set the correct application environment.

You should only ever run in the "development" environment when developing the application, and typically only behind a firewall. Additionally, you should set your APPLICATION_ENV environment variable via your web server's virtual host configuration whenever possible. For public-facing hosts, set the value to anything other than "development".

If you must run under the "development" application environment on a publically accessible server, follow one of the next two recommendations.

Upgrade to Zend Framework 1.11.4

Zend Framework 1.11.4 includes a patch that adds escaping to the generated error/error.phtml view script, ensuring that request variables are escaped appropriately for the browser.

Do note, however, that this will not update any previously generated code. You will still need to follow the next advice for previously generated error view scripts.

Modify your error/error.phtml view script

If you cannot upgrade, or if you want to patch previously generated error view scripts, do the following:

  • Open the application/views/scripts/error/error.phtml file from your ZF-generated project in a text editor or your IDE.
  • Find the heading "Request Parameters".
  • In the line following, you'll see the following statement:
    <pre><?php echo var_export($this->request->getParams(), true) ?>
    
  • Edit the above statement to wrap the var_export call within a $this->escape() method call:
    <pre><?php echo $this->escape(var_export($this->request->getParams(), true)) ?>
    

Once complete, save the file.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Robert Lehmann
  • Frederik Braun
  • Hubert Hesse

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2010-07: Potential Security Issues in Bundled Dojo Library

Executive Summary

In mid-March, 2010, the Dojo Foundation issued a Security Advisory indicating potential security issues with specific files in Dojo Toolkit. Details of the advisory may be found on the Dojo website:

In particular, several files in the Dojo tree were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the tree when deploying to production.

Action Taken

Since the files in question have been patched on the Dojo release branches, the only action needed was a new release that contains a new build of Dojo based on the current release branch. In addition, code was added to the Zend Framework Dojo build script to strip out all PHP files as an extra precaution.

Recommendations

This particular vulnerability only affects those users who:

  • Use Dojo, and more specifically,
  • Use the Dojo build supplied by Zend Framework, or
  • Have not updated their site already based on the recommendations of the recent announcement by the Dojo Foundation.

If you fall into one of these categories, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately, and redeploying Dojo from the Dojo packages supplied with Zend Framework:

  • 1.10.3
  • 1.9.8

Alternately, upgrade from official Dojo packages, following the guidelines in the aforementioned advisory from the Dojo Foundation.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Paul Verhoeven, for alerting us to the original Dojo advisory
  • Peter Higgins and James Burke, from the Dojo Toolkit team, for advice on how best to package Zend Framework's Dojo distribution

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json

Executive Summary

Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string.

Action Taken

Zend_Json_Encoder was patched to escape the solidus character when encoding PHP strings to JSON.

Recommendations

This particular vulnerability only affects those users who are either (a) using Zend_Json_Encoder directly, (b) requesting native encoding instead of usage of ext/json (e.g., by enabling the static $useBuiltinEncoderDecoder property of Zend_Json), or (c) on systems where ext/json is unavailable (e.g. RHEL, CentOS). If you are affected, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately.

  • 1.9.7
  • 1.8.5
  • 1.7.9

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2010-05: Potential XSS vector in Zend_Service_ReCaptcha_MailHide

Executive Summary

Zend_Service_ReCaptcha_MailHide had a potential XSS vulnerability. Due to the fact that the email address was never validated, and because its use of htmlentities() did not include the encoding argument, it was potentially possible for a malicious user aware of the issue to inject a specially crafted multibyte string as an attack via the CAPTCHA's email argument.

Action Taken

An EmailAddress validator was added by default to Zend_Service_ReCaptcha_MailHide (which may be replaced with any Zend_Validate_interface implementation), and the submitted email address is now passed through this validator prior to performing any markup generation. Additionally, accessors for setting and retrieving the encoding to use with htmlentities() have been provided, with a default value of UTF-8 used.

Recommendations

If you use Zend_Service_ReCaptcha_MailHide, it is strongly recommended that you upgrade to either the latest available Zend Framework release, or one of the following releases, immediately:

  • 1.9.7
  • 1.8.5
  • 1.7.9

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer

Executive Summary

Zend_File_Transfer had a potential MIME type injection vulnerability for file uploads. In certain situations where either PHP's ext/finfo extension is not installed and the mime_content_type() function was not available on a system, Zend_File_Transfer would use the user provided value for the type embedded inside the $_FILES superglobal. Additionally, in cases where the functionality was available, but where a type could not be determined by one of them, Zend_File_Transfer would also fallback on the user provided type. Using user provided information for a file's MIME type in uploads is considered an insecure practice, as it provides attack vectors by malicious users.

Action Taken

This vulnerability has been fixed by returning "application/octet" in situations where the MIME type cannot be detected securely by PHP.

Recommendations

If you use this component, or other components that rely on it (e.g., Zend_Form_Element_File), we strongly recommend upgrading to the most current version of Zend Framework available, or one of the following versions.

  • 1.9.7
  • 1.8.5

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken
  • Thomas Weidner, who provided the patch used to resolve the issue issue tracker

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)