Security

Security Advisory: ZF2010-01

ZF2010-01: Potential XSS vectors due to inconsistent encodings

Executive Summary

A number of classes, primarily within the Zend_Form, Zend_Filter, Zend_Form, Zend_Log and Zend_View components, contained character encoding inconsistencies whereby calls to the htmlspecialchars() and htmlentities() functions used undefined or hard coded charset parameters. In many of these cases developers were unable to set a character encoding of their choice. These inconsistencies could, in specific circumstances, allow certain multibyte representations of special HTML characters pass through unescaped leaving applications potentially vulnerable to cross-site scripting (XSS) exploits. Such exploits would only be possible if a developer used a non-typical character encoding (such as UTF-7), allowed users to define the character encoding, or served HTML documents without a valid character set defined.

Action Taken

The afore-mentioned classes have been reworked to use a default character encoding of UTF-8 and now expose methods to allow developers set a custom character encoding.

In addition, a decision was made to default to UTF-8 for the internal encoding mechanisms used by Zend_View. If you were relying on Zend_View using ISO-8859-1 encoding previously, you may need to specify that encoding manually now. You may do so in several ways:

  • If manually instantiating Zend_View:

    $view = new Zend_View(array('encoding' => 'ISO-8859-1'));
    // or:
    $view->setEncoding('ISO-8859-1');
    
  • From your application.ini:

    resources.view.encoding = "ISO-8859-1"
    

Recommendations

First, we recommend using UTF-8 or ensuring your chosen character encoding is used consistently across all components to help prevent potential multibyte based XSS attacks against your application. We also recommend that developers ensure HTML documents are served with a valid character set defined, such as via the Content-Type header or inside the document itself.

Second, if you are using any of the Zend_Form, Zend_Filter, Zend_Form, Zend_Log or Zend_View components, we strongly recommend upgrading to Zend Framework 1.9.7 or above; regardless, it is always best to run the most current version of the framework.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken

Released 2010-01-11

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts