Zend_Amf loads service-classes dynamically by using Zend_Loader in the following code:
— Zend/Amf/Server.php (169-179) ---------------------------------------
foreach ($this->_directories as $dir) {
$classPath[] = $dir . $uriclasspath;
}
require_once('Zend/Loader.php');
try {
Zend_Loader::loadClass($className, $classPath, true);
} catch (Exception $e) {
require_once 'Zend/Amf/Server/Exception.php';
throw new Zend_Amf_Server_Exception('Class "' . $className . '" does not exist');
}
-------------------------------------------
This is a mayor security issue as Zend_Loader tries to find the passed class($className) in all set include-paths if it is not found in the passed paths($classPath).
As a result it is possible to access each and every Class that implements a public method and can be loaded via zend-loader!!
I can think of two solutions:
1. Extend the interface of the loadClass function like so: public static function loadClass($class, $dirs = null, $ignoreIncludePaths = false)
2. Implement an independent service/class loading mechanism in Zend_Amf
The first solution seems to be better as this functionality could be advantageous in other components.
greetings, Guille
Bug
Resolved
Critical
Mayor security issue with Zend_Amf loading services via Zend_Loader
This issue also allows an attacker to call any methods for classes included before the remoting class.
I agree with Guille, solution 1 is the simplest / elegant and requires minimum code change.
Any ideas when this will be implemented? as this is major security vulnerability affecting live sites
Cheers,
Horia