Security Advisory: ZF2010-05

ZF2010-05: Potential XSS vector in Zend_Service_ReCaptcha_MailHide

Executive Summary

Zend_Service_ReCaptcha_MailHide had a potential XSS vulnerability. Due to the fact that the email address was never validated, and because its use of htmlentities() did not include the encoding argument, it was potentially possible for a malicious user aware of the issue to inject a specially crafted multibyte string as an attack via the CAPTCHA's email argument.

Action Taken

An EmailAddress validator was added by default to Zend_Service_ReCaptcha_MailHide (which may be replaced with any Zend_Validate_interface implementation), and the submitted email address is now passed through this validator prior to performing any markup generation. Additionally, accessors for setting and retrieving the encoding to use with htmlentities() have been provided, with a default value of UTF-8 used.

Recommendations

If you use Zend_Service_ReCaptcha_MailHide, it is strongly recommended that you upgrade to either the latest available Zend Framework release, or one of the following releases, immediately:

• 1.9.7
• 1.8.5
• 1.7.9

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

• Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken

Released 2010-01-11

Back to advisories

• Overview
• Advisories
• Feed