Issues

ZF-12486: XML External Entity Injection in Zend Framework

Description

---[ Vulnerable software]

Zend Framework Version: 1.12.0 and earlier

---[ Severity]

Severity level: Medium Impact: XML External Entity Injection (XXE) Attack vector: Remote

CVSS v2 Base Score: 6.4 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) CVE: N/A

---[ Vulnerability description]

The specialists of the Positive Research center have detected a XXE Injection vulnerability in Zend Framework. XXE Injection is possible during import of RSS documents in Zend Framework. An attacker is able to read an arbitrary file on the target system.

Example: $channel = new Zend_Feed_Rss('http://example.com/rss.xml'); echo $channel->title();

rss.xml content:

<?xml version="1.0"?> ]> FILE:&x; ... ---[ How to fix ]

There is no solution available.

---[Credits]

Vulnerability was detected by Yury Dyachenko (Positive Research Center)

Comments

Fixed on trunk, release-1.11, and release-1.12 branches.