ZF2012-02: Denial of Service vector via XEE injection
Zend_XmlRpc are vulnerable to XML Entity Expansion (XEE) vectors,
leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE
declaration includes XML entity definitions that contain either recursive or
circular references; this leads to CPU and memory consumption, making Denial
of Service exploits trivial to implement.
All locations where
used with user input were patched. The patches mitigate the XEE vector by
libxml_disable_entity_loader(), and then looping
DOMDocument children, testing if any are of type
XML_DOCUMENT_TYPE_NODE; if so, an exception is raised and
execution is halted.
SimpleXML is used, the XML is loaded first via
DOMDocument and scanned as noted above; once validated, the
DOMDocument instance is passed to
This patch has been applied starting in versions 1.11.13 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and first released with 2.0.0rc4).
If you are using either
Zend_XmlRpc in your projects, we
recommend immediately upgrading to 1.11.13 or greater.
The Zend Framework team thanks the following for working with us to help protect its users:
- Pádraic Brady
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at email@example.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)