Security

Security Advisory: ZF2009-01

ZF2009-01: LFI vector in Zend_View::setScriptPath() and render()

Executive Summary

Zend_View is a component that utilizes PHP as a templating language. To utilize it, you specify "script paths" that contain view scripts, and then render() view scripts by specifying subdirectories within those script paths; the output is then returned as a string value which may be cached or directly output.

Zend_View::setScriptPath() in versions up to and including 1.7.4 include a potential Local File Inclusion vulnerability. If untrusted input is used to specify the script path and/or view script itself, a malicious attacker could potentially specify a system directory and thus render a system file.

As an example, if the user-supplied string /etc/passwd or a relative path that resolved to that file, was supplied to Zend_View::render(), that file would be rendered.

Action Taken

The functionality was patched starting in Zend Framework 1.7.5. From that release forward, the render() method checks for absolute paths and/or parent directory traversal in the file location passed, and throws an exception when detected.

However, to provide backwards compatibility for those who relied on the functionality, an additional flag was added which can be used to optionally disable the protection: the method setLfiProtection(false), or the constructor option lfiProtection.

Recommendations

If you were passing user input directly to render(), you should immediately upgrade to Zend Framework 1.7.5 or above; regardless, it is always best to run the most current version of the framework.

Additionally, the Zend Framework team reminds developers never to trust user input; in particular, when using it to determine file system paths, appropriate filters and normalization should be performed to limit the directory trees in which a requested file may be located.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Grzegorz Nowicki, who made the initial report

Released 2009-02-17

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts