Security Advisory
ZF2010-01: Potential XSS vectors due to inconsistent encodings
Executive Summary
A number of classes, primarily within the Zend_Form,
Zend_Filter, Zend_Form, Zend_Log
and Zend_View components, contained character encoding
inconsistencies whereby calls to the htmlspecialchars() and
htmlentities() functions used undefined or hard coded
charset parameters. In many of these cases developers were unable to set a
character encoding of their choice. These inconsistencies could, in
specific circumstances, allow certain multibyte representations of
special HTML characters pass through unescaped leaving applications
potentially vulnerable to cross-site scripting (XSS) exploits. Such
exploits would only be possible if a developer used a non-typical
character encoding (such as UTF-7), allowed users to define the
character encoding, or served HTML documents without a valid character
set defined.
Action Taken
The afore-mentioned classes have been reworked to use a default character encoding of UTF-8 and now expose methods to allow developers set a custom character encoding.
In addition, a decision was made to default to UTF-8 for the internal
encoding mechanisms used by Zend_View. If you were relying
on Zend_View using ISO-8859-1 encoding previously, you may
need to specify that encoding manually now. You may do so in several
ways:
- If manually instantiating
Zend_View:$view = new Zend_View(array('encoding' => 'ISO-8859-1')); // or: $view->setEncoding('ISO-8859-1'); - From your
application.ini:resources.view.encoding = "ISO-8859-1"
Recommendations
First, we recommend using UTF-8 or ensuring your chosen character encoding is used consistently across all components to help prevent potential multibyte based XSS attacks against your application. We also recommend that developers ensure HTML documents are served with a valid character set defined, such as via the Content-Type header or inside the document itself.
Second, if you are using any of the Zend_Form,
Zend_Filter, Zend_Form, Zend_Log or
Zend_View components, we strongly recommend upgrading to Zend
Framework 1.9.7 or above; regardless, it is always best to run the most
current version of the framework.
Other Information
Acknowledgments
The Zend Framework team thanks the following for working with us to help protect its users:
- Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Policy
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)