Zend_Amf loads service-classes dynamically by using Zend_Loader in the following code:
— Zend/Amf/Server.php (169-179) ---------------------------------------
foreach ($this->_directories as $dir) {
$classPath[] = $dir . $uriclasspath;
}
require_once('Zend/Loader.php');
try {
Zend_Loader::loadClass($className, $classPath, true);
} catch (Exception $e) {
require_once 'Zend/Amf/Server/Exception.php';
throw new Zend_Amf_Server_Exception('Class "' . $className . '" does not exist');
}
-------------------------------------------
This is a mayor security issue as Zend_Loader tries to find the passed class($className) in all set include-paths if it is not found in the passed paths($classPath).
As a result it is possible to access each and every Class that implements a public method and can be loaded via zend-loader!!
I can think of two solutions:
1. Extend the interface of the loadClass function like so: public static function loadClass($class, $dirs = null, $ignoreIncludePaths = false)
2. Implement an independent service/class loading mechanism in Zend_Amf
The first solution seems to be better as this functionality could be advantageous in other components.
greetings, Guille
This issue also allows an attacker to call any methods for classes included before the remoting class.
I agree with Guille, solution 1 is the simplest / elegant and requires minimum code change.
Any ideas when this will be implemented? as this is major security vulnerability affecting live sites
Cheers,
Horia