Security Advisory
ZF2012-04: Potential Proxy Injection Vulnerabilities in Multiple Zend Framework 2 Components
Zend\Session\Validator\RemoteAddr and Zend\View\Helper\ServerUrl
were found to be improperly parsing HTTP headers for proxy information, which could
potentially allow an attacker to spoof a proxied IP or host name.
In Zend\Session\Validator\RemoteAddr, if the client is behind a proxy server,
the detection of the proxy URL was incorrect, and could lead to invalid
results on subsequent lookups.
In Zend\View\Helper\ServerUrl, if the server lives behind a proxy, the helper
would always generate a URL based on the proxy host, regardless of whether
or not this was desired; additionally, it did not take into account the proxy port
or protocol, if provided.
Action Taken
A new class, Zend\Http\PhpEnvironment\RemoteAddress, was
developed to provide reusable code surrounding the detection of a client IP via
proxy headers, and Zend\Session\Validator\RemoteAddr was refactored
to consume this class. This code:
- no longer searches against the non-standard
Client-Ipheader - allows specifying the specific header to check against for proxy detection
- allows specifying a list of trusted proxy servers against which to mask any detected proxy IPs
- properly selects the right-most IP address from the list of proxy IPs
The ServerUrl view helper was modified as follows:
- a flag was introduced to enable/disable proxy detection
- proxy detection is disabled by default
- in addition to using the
X-Forwarded-Host header, support for detecting
the proxy port (via the
X-Forwarded-Port header) and proxy protocol (via the
X-Forwarded-Proto header) was added.
This patch has been applied starting in versions 2.0.5 of Zend Framework, as well as to the 2.1 development branch.
Recommendations
If you are using any of the components listed, we recommend upgrading to 2.0.5 or greater.
Other Information
Acknowledgments
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
- Fabien Potencier
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Policy
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)