ZF-12486: XML External Entity Injection in Zend Framework

Issue Type: Bug Created: 2012-12-13T14:19:06.000+0000 Last Updated: 2012-12-18T18:40:54.000+0000 Status: Resolved Fix version(s): - 1.11.15 (18/Dec/12)

  • 1.12.1 (18/Dec/12)

Reporter: Yury (ymaryshev) Assignee: Matthew Weier O'Phinney (matthew) Tags: Related issues: Attachments:


---[ Vulnerable software]

Zend Framework Version: 1.12.0 and earlier

---[ Severity]

Severity level: Medium Impact: XML External Entity Injection (XXE) Attack vector: Remote

CVSS v2 Base Score: 6.4 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) CVE: N/A

---[ Vulnerability description]

The specialists of the Positive Research center have detected a XXE Injection vulnerability in Zend Framework. XXE Injection is possible during import of RSS documents in Zend Framework. An attacker is able to read an arbitrary file on the target system.

Example: $channel = new Zend_Feed_Rss(''); echo $channel->title();

rss.xml content:

]> FILE:&x; ... ---[ How to fix ]

There is no solution available.


Vulnerability was detected by Yury Dyachenko (Positive Research Center)


Posted by Matthew Weier O'Phinney (matthew) on 2012-12-18T18:40:54.000+0000

Fixed on trunk, release-1.11, and release-1.12 branches.

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.