Security Advisory

ZF2009-01: LFI vector in Zend_View::setScriptPath() and render()

Executive Summary

Zend_View is a component that utilizes PHP as a templating language. To utilize it, you specify "script paths" that contain view scripts, and then render() view scripts by specifying subdirectories within those script paths; the output is then returned as a string value which may be cached or directly output.

Zend_View::setScriptPath() in versions up to and including 1.7.4 include a potential Local File Inclusion vulnerability. If untrusted input is used to specify the script path and/or view script itself, a malicious attacker could potentially specify a system directory and thus render a system file.

As an example, if the user-supplied string "/etc/passwd" or a relative path that resolved to that file, was supplied to Zend_View::render(), that file would be rendered.

Action Taken

The functionality was patched starting in Zend Framework 1.7.5. From that release forward, the render() method checks for absolute paths and/or parent directory traversal in the file location passed, and throws an exception when detected.

However, to provide backwards compatibility for those who relied on the functionality, an additional flag was added which can be used to optionally disable the protection: the method setLfiProtection(false), or the constructor option "lfiProtection".

Recommendations

If you were passing user input directly to render(), you should immediately upgrade to Zend Framework 1.7.5 or above; regardless, it is always best to run the most current version of the framework.

Additionally, the Zend Framework team reminds developers never to trust user input; in particular, when using it to determine file system paths, appropriate filters and normalization should be performed to limit the directory trees in which a requested file may be located.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

back to advisories