ZF-6625: Mayor security issue with Zend_Amf loading services via Zend_Loader

Issue Type: Bug Created: 2009-05-12T12:38:41.000+0000 Last Updated: 2009-06-17T13:51:02.000+0000 Status: Resolved Fix version(s): - 1.8.4 (23/Jun/09)

Reporter: Guillermo Thiemann (guille) Assignee: Stanislav Malyshev (stas) Tags: - Zend_Amf

  • Zend_Loader

Related issues: Attachments:


Zend_Amf loads service-classes dynamically by using Zend_Loader in the following code:

--- Zend/Amf/Server.php (169-179) ---------------------------------------

            foreach ($this->_directories as $dir) {
                $classPath[] = $dir . $uriclasspath;

            try {
                Zend_Loader::loadClass($className, $classPath, true);
            } catch (Exception $e) {
                require_once 'Zend/Amf/Server/Exception.php';
                throw new Zend_Amf_Server_Exception('Class "' . $className . '" does not exist');

This is a mayor security issue as Zend_Loader tries to find the passed class($className) in all set include-paths if it is not found in the passed paths($classPath). As a result it is possible to access each and every Class that implements a public method and can be loaded via zend-loader!!

I can think of two solutions: 1. Extend the interface of the loadClass function like so: public static function loadClass($class, $dirs = null, $ignoreIncludePaths = false) 2. Implement an independent service/class loading mechanism in Zend_Amf

The first solution seems to be better as this functionality could be advantageous in other components.

greetings, Guille


Posted by HT (horiat) on 2009-06-01T18:34:51.000+0000

This issue also allows an attacker to call any methods for classes included before the remoting class. I agree with Guille, solution 1 is the simplest / elegant and requires minimum code change.

Any ideas when this will be implemented? as this is major security vulnerability affecting live sites

Cheers, Horia

Posted by Wade Arnold (wadearnold) on 2009-06-16T14:52:04.000+0000

Stas, Can you check this out? I am not sure if you want to add something to Zend_Loader or make a modification inside of Zend_Amf_Server? How are the other Zend Server endpoints handling this?

Posted by Stanislav Malyshev (stas) on 2009-06-17T13:51:01.000+0000

Thanks, fixed it - now it will load only files from specified directories.

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.