ZF Zend Framework

Behind the Site

    Security Advisory

    ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json

    Executive Summary

    Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string.

    Action Taken

    Zend_Json_Encoder was patched to escape the solidus character when encoding PHP strings to JSON.

    Recommendations

    This particular vulnerability only affects those users who are either (a) using Zend_Json_Encoder directly, (b) requesting native encoding instead of usage of ext/json (e.g., by enabling the static $useBuiltinEncoderDecoder property of Zend_Json), or (c) on systems where ext/json is unavailable (e.g. RHEL, CentOS). If you are affected, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately.

    • 1.9.7
    • 1.8.5
    • 1.7.9

    Other Information

    Acknowledgments

    The Zend Framework team thanks the following for working with us to help protect its users:

    • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken

    Reporting Potential Security Issues

    If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

    When reporting issues, please provide the following information:

    • Component(s) affected
    • A description indicating how to reproduce the issue
    • A summary of the security vulnerability and impact

    We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

    For sensitive email communications, please use our PGP key.

    Policy

    Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

    • We will patch the current release branch, as well as the immediate prior minor release branch.
    • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
    • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

    Security