The default error handling view script generated using Zend_Tool failed to
escape request parameters when run in the "development" configuration
environment, providing a potential XSS attack vector.
Zend_Tool_Project_Context_Zf_ViewScriptFile was patched such that the view
script template now calls the escape() method on dumped request variables.
This particular vulnerability affects only those users who (a) are using
Zend_Tool (aka the zf CLI) to generate their ErrorController and view
script, and (b) are running that code under the "development" configuration
environment on a public-facing web server.
If you are running in any environment other than "development", the issue will not present.
There are three approaches you can take:
Make sure you set the correct application environment. You should only ever run
in the "development" environment when developing the application, and typically
only behind a firewall. Additionally, you should set your APPLICATION_ENV
environment variable via your web server's virtual host configuration whenever
possible. For public-facing hosts, set the value to anything other than
"development".
If you must run under the "development" application environment on a publically accessible server, follow one of the next two recommendations.
Zend Framework 1.11.4 includes a patch that adds escaping to the generated
error/error.phtml view script, ensuring that request variables are escaped
appropriately for the browser.
Do note, however, that this will not update any previously generated code. You will still need to follow the next advice for previously generated error view scripts.
If you cannot upgrade, or if you want to patch previously generated error view scripts, do the following:
Open the application/views/scripts/error/error.phtml
file from your ZF-generated project in a text editor or your IDE.
Find the heading "Request Parameters".
In the line following, you'll see the following statement:
<?php echo var_export($this->request->getParams(), true) ?>
Edit the above statement to wrap the var_export call within a
$this->escape() method call:
<?php echo $this->escape(var_export($this->request->getParams(), true)) ?>
Once complete, save the file.
The Zend Framework team thanks the following for working with us to help protect its users:
Released 2011-03-03
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com