Security Advisory
ZF2012-01: Local file disclosure via XXE injection in Zend_XmlRpc
Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE)
Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is
used in an insecure way to parse XML data. External entities can be specified
by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this
vulnerability an application may be coerced to open arbitrary files and/or TCP
connections.
Action Taken
The Request and Response implementations in
Zend_XmlRpc were patched to ensure
libxml_disable_entity_loader() is invoked prior to instantiating
any SimpleXML objects. This disables XXE parsing, and thus
disables the attack vector.
This patch has been applied starting in versions 1.11.12 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and will be included starting with the 2.0.0beta5 release).
Recommendations
If you are using either Zend_XmlRpc_Server or
Zend_XmlRpc_Client in your projects, we recommend
immediately upgrading to 1.11.12 or greater.
Update
Additional attack vectors were identified in Zend_Dom,
Zend_Feed, and Zend_Soap, and patched in an
identical manner.
The patches for these components are included in versions 1.11.13 and 1.12.0 of Zend Framework, and ported to the upcoming version 2.0.0 development branch (released with 2.0.0rc4). If you are using any of the affected components, we recommend upgrading to 1.11.13 or greater immediately.
Other Information
Acknowledgments
The Zend Framework team thanks the following for working with us to help protect its users:
- Johannes Greil
- Kestutis Gudinavicius
Both from SEC Consult Vulnerability Lab (www.sec-consult.com).
- Pádraic Brady, for identifying the additional vectors in
Zend_Dom,Zend_Feed, andZend_Soap
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Policy
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)