ZF2010-05: Potential XSS vector in Zend_Service_ReCaptcha_MailHide
Zend_Service_ReCaptcha_MailHide had a potential XSS
vulnerability. Due to the fact that the email address was never validated,
and because its use of
htmlentities() did not include the
encoding argument, it was potentially possible for a malicious user aware
of the issue to inject a specially crafted multibyte string as an attack
via the CAPTCHA's email argument.
EmailAddress validator was added by default to
Zend_Service_ReCaptcha_MailHide (which may be replaced with
Zend_Validate_interface implementation), and the
submitted email address is now passed through this validator prior to
performing any markup generation. Additionally, accessors for setting and
retrieving the encoding to use with
htmlentities() have been
provided, with a default value of UTF-8 used.
If you use
Zend_Service_ReCaptcha_MailHide, it is strongly
recommended that you upgrade to either the latest available Zend
Framework release, or one of the following releases, immediately:
The Zend Framework team thanks the following for working with us to help protect its users:
- Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at firstname.lastname@example.org. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)