Zend_Service_ReCaptcha_MailHide
had a potential XSS vulnerability. Due to the
fact that the email address was never validated, and because its use of
htmlentities()
did not include the encoding argument, it was potentially
possible for a malicious user aware of the issue to inject a specially crafted
multibyte string as an attack via the CAPTCHA's email argument.
An EmailAddress
validator was added by default to
Zend_Service_ReCaptcha_MailHide
(which may be replaced with any
Zend_Validate_interface
implementation), and the submitted email address is
now passed through this validator prior to performing any markup generation.
Additionally, accessors for setting and retrieving the encoding to use with
htmlentities()
have been provided, with a default value of UTF-8 used.
If you use Zend_Service_ReCaptcha_MailHide
, it is strongly recommended that
you upgrade to either the latest available Zend Framework release, or one of the
following releases, immediately:
The Zend Framework team thanks the following for working with us to help protect its users:
Released 2010-01-11
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com