Issues

ZF-6625: Mayor security issue with Zend_Amf loading services via Zend_Loader

Description

Zend_Amf loads service-classes dynamically by using Zend_Loader in the following code:

--- Zend/Amf/Server.php (169-179) ---------------------------------------

            foreach ($this->_directories as $dir) {
                $classPath[] = $dir . $uriclasspath;
            }

            require_once('Zend/Loader.php');
            try {
                Zend_Loader::loadClass($className, $classPath, true);
            } catch (Exception $e) {
                require_once 'Zend/Amf/Server/Exception.php';
                throw new Zend_Amf_Server_Exception('Class "' . $className . '" does not exist');
            }

This is a mayor security issue as Zend_Loader tries to find the passed class($className) in all set include-paths if it is not found in the passed paths($classPath). As a result it is possible to access each and every Class that implements a public method and can be loaded via zend-loader!!

I can think of two solutions: 1. Extend the interface of the loadClass function like so: public static function loadClass($class, $dirs = null, $ignoreIncludePaths = false) 2. Implement an independent service/class loading mechanism in Zend_Amf

The first solution seems to be better as this functionality could be advantageous in other components.

greetings, Guille

Comments

This issue also allows an attacker to call any methods for classes included before the remoting class. I agree with Guille, solution 1 is the simplest / elegant and requires minimum code change.

Any ideas when this will be implemented? as this is major security vulnerability affecting live sites

Cheers, Horia

Stas, Can you check this out? I am not sure if you want to add something to Zend_Loader or make a modification inside of Zend_Amf_Server? How are the other Zend Server endpoints handling this?

Thanks, fixed it - now it will load only files from specified directories.