Security Advisory
ZF2009-01: LFI vector in Zend_View::setScriptPath() and render()
Executive Summary
Zend_View is a component that utilizes PHP as a templating
language. To utilize it, you specify "script paths" that contain view
scripts, and then render() view scripts by specifying
subdirectories within those script paths; the output is then returned as a
string value which may be cached or directly output.
Zend_View::setScriptPath() in versions up to and including
1.7.4 include a potential Local File Inclusion vulnerability. If untrusted
input is used to specify the script path and/or view script itself, a
malicious attacker could potentially specify a system directory and thus
render a system file.
As an example, if the user-supplied string "/etc/passwd" or a relative path
that resolved to that file, was supplied to
Zend_View::render(), that file would be rendered.
Action Taken
The functionality was patched starting in Zend Framework 1.7.5. From that
release forward, the render() method checks for absolute paths
and/or parent directory traversal in the file location passed, and throws an
exception when detected.
However, to provide backwards compatibility for those who relied on the
functionality, an additional flag was added which can be used to optionally
disable the protection: the method setLfiProtection(false), or
the constructor option "lfiProtection".
Recommendations
If you were passing user input directly to render(), you should
immediately upgrade to Zend Framework 1.7.5 or above; regardless, it is
always best to run the most current version of the framework.
Additionally, the Zend Framework team reminds developers never to trust user input; in particular, when using it to determine file system paths, appropriate filters and normalization should be performed to limit the directory trees in which a requested file may be located.
Other Information
Acknowledgments
The Zend Framework team thanks the following for working with us to help protect its users:
- Grzegorz Nowicki, who made the initial report
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Policy
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)