ZF2013-04: Potential Remote Address Spoofing Vector in Zend\Http\PhpEnvironment\RemoteAddress
Zend\Http\PhpEnvironment\RemoteAddress class provides features
around detecting the internet protocol (IP) address for an incoming proxied
request via the
X-Forwarded-For header, taking into account a
provided list of trusted proxy server IPs. Prior to 2.2.5, the
class was not taking into account whether or not the IP address contained
$_SERVER['REMOTE_ADDR'] was in the trusted proxy server
The IETF draft
specification indicates that if
We have made the following change to the
- If we detect that (a) we will test against proxy servers, and (b)
$_SERVER['REMOTE_ADDR']is not in the list of trusted proxy servers, we now return the value of
$_SERVER['REMOTE_ADDR']immediately, without introspecting the
You are only affected by this as an issue if you directly consume one of the following in your code:
If you do, we recommend immediately upgrading to version 2.2.5.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at email@example.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)
Released Thu, 31 October 2013 14:00:00 -0500.