Security Advisory: ZF2010-07

ZF2010-07: Potential Security Issues in Bundled Dojo Library

Executive Summary

In mid-March, 2010, the Dojo Foundation issued a Security Advisory indicating potential security issues with specific files in Dojo Toolkit. Details of the advisory may be found on the Dojo website:

In particular, several files in the Dojo tree were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the tree when deploying to production.

Action Taken

Since the files in question have been patched on the Dojo release branches, the only action needed was a new release that contains a new build of Dojo based on the current release branch. In addition, code was added to the Zend Framework Dojo build script to strip out all PHP files as an extra precaution.


This particular vulnerability only affects those users who:

  • Use Dojo, and more specifically,
  • Use the Dojo build supplied by Zend Framework, or
  • Have not updated their site already based on the recommendations of the recent announcement by the Dojo Foundation.

If you fall into one of these categories, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately, and redeploying Dojo from the Dojo packages supplied with Zend Framework:

  • 1.10.3
  • 1.9.8

Alternately, upgrade from official Dojo packages, following the guidelines in the aforementioned advisory from the Dojo Foundation.

Other Information


The Zend Framework team thanks the following for working with us to help protect its users:

  • Paul Verhoeven, for alerting us to the original Dojo advisory.
  • Peter Higgins and James Burke, from the Dojo Toolkit team, for advice on how best to package Zend Framework's Dojo distribution.

Released 2010-04-02

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.