Zend_View is a component that utilizes PHP as a templating language. To
utilize it, you specify "script paths" that contain view scripts, and then
render() view scripts by specifying subdirectories within those script paths;
the output is then returned as a string value which may be cached or directly
Zend_View::setScriptPath() in versions up to and including 1.7.4 include a
potential Local File Inclusion vulnerability. If untrusted input is used to
specify the script path and/or view script itself, a malicious attacker could
potentially specify a system directory and thus render a system file.
As an example, if the user-supplied string
/etc/passwd or a relative path that
resolved to that file, was supplied to
Zend_View::render(), that file would be
The functionality was patched starting in Zend Framework 1.7.5. From that
release forward, the
render() method checks for absolute paths and/or parent
directory traversal in the file location passed, and throws an exception when
However, to provide backwards compatibility for those who relied on the
functionality, an additional flag was added which can be used to optionally
disable the protection: the method
setLfiProtection(false), or the constructor
If you were passing user input directly to
render(), you should immediately
upgrade to Zend Framework 1.7.5 or above; regardless, it is always best to run
the most current version of the framework.
Additionally, the Zend Framework team reminds developers never to trust user input; in particular, when using it to determine file system paths, appropriate filters and normalization should be performed to limit the directory trees in which a requested file may be located.
The Zend Framework team thanks the following for working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org