Zend Framework

Zend_View render() allows parent directory notation, opening potential LFI exploit

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.9.1
  • Component/s: Zend_View
  • Labels:
    None

Description

Zend_View::render() currently allows script names that include parent directory notation – which could lead to a potential local filesystem inclusion exploit if provided unfiltered user input. As view scripts should only ever match beneath the registered view script directories, render() (or _script()) should filter for this sort of input and raise an exception when such input is detected.

Issue Links

This issue is related to:
ZF-5724 Security BUG - LFI is possible, with wrong configuration Zend_View Major Resolved

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Matthew Weier O'Phinney added a comment -

Based on ZF-5724 submission, but specific to render() vs. the script paths.

Show
Matthew Weier O'Phinney added a comment - Based on ZF-5724 submission, but specific to render() vs. the script paths.
Hide
Permalink
Matthew Weier O'Phinney added a comment -

Fix committed to trunk in r14049

Show
Matthew Weier O'Phinney added a comment - Fix committed to trunk in r14049
Hide
Permalink
Matthew Weier O'Phinney added a comment -

Patch applied to 1.7 release branch

Show
Matthew Weier O'Phinney added a comment - Patch applied to 1.7 release branch

People

Vote (0)
Watch (0)

Dates

  • Due:
    Created:
    Updated:
    Resolved:

Time Tracking

Estimated:
15m
Original Estimate - 15 minutes
Remaining:
15m
Remaining Estimate - 15 minutes
Logged:
Not Specified
Time Spent - Not Specified
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.