Security Advisory

ZF2010-01: Potential XSS vectors due to inconsistent encodings

Executive Summary

A number of classes, primarily within the Zend_Form, Zend_Filter, Zend_Form, Zend_Log and Zend_View components, contained character encoding inconsistencies whereby calls to the htmlspecialchars() and htmlentities() functions used undefined or hard coded charset parameters. In many of these cases developers were unable to set a character encoding of their choice. These inconsistencies could, in specific circumstances, allow certain multibyte representations of special HTML characters pass through unescaped leaving applications potentially vulnerable to cross-site scripting (XSS) exploits. Such exploits would only be possible if a developer used a non-typical character encoding (such as UTF-7), allowed users to define the character encoding, or served HTML documents without a valid character set defined.

Action Taken

The afore-mentioned classes have been reworked to use a default character encoding of UTF-8 and now expose methods to allow developers set a custom character encoding.

In addition, a decision was made to default to UTF-8 for the internal encoding mechanisms used by Zend_View. If you were relying on Zend_View using ISO-8859-1 encoding previously, you may need to specify that encoding manually now. You may do so in several ways:

Recommendations

First, we recommend using UTF-8 or ensuring your chosen character encoding is used consistently across all components to help prevent potential multibyte based XSS attacks against your application. We also recommend that developers ensure HTML documents are served with a valid character set defined, such as via the Content-Type header or inside the document itself.

Second, if you are using any of the Zend_Form, Zend_Filter, Zend_Form, Zend_Log or Zend_View components, we strongly recommend upgrading to Zend Framework 1.9.7 or above; regardless, it is always best to run the most current version of the framework.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

back to advisories