Security Advisory: ZF2012-01

ZF2012-01: Local file disclosure via XXE injection in Zend_XmlRpc

Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

Action Taken

The Request and Response implementations in Zend_XmlRpc were patched to ensure libxml_disable_entity_loader() is invoked prior to instantiating any SimpleXML objects. This disables XXE parsing, and thus disables the attack vector.

This patch has been applied starting in versions 1.11.12 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and will be included starting with the 2.0.0beta5 release).


If you are using either Zend_XmlRpc_Server or Zend_XmlRpc_Client in your projects, we recommend immediately upgrading to 1.11.12 or greater.


Additional attack vectors were identified in Zend_Dom, Zend_Feed, and Zend_Soap, and patched in an identical manner.

The patches for these components are included in versions 1.11.13 and 1.12.0 of Zend Framework, and ported to the upcoming version 2.0.0 development branch (released with 2.0.0rc4). If you are using any of the affected components, we recommend upgrading to 1.11.13 or greater immediately.

Other Information


The Zend Framework team thanks the following for working with us to help protect its users:

  • Johannes Greil
  • Kestutis Gudinavicius

Both from SEC Consult Vulnerability Lab (

  • Pádraic Brady, for identifying the additional vectors in Zend_Dom, Zend_Feed, and Zend_Soap

Released 2012-06-22

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2021 by Zend by Perforce. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.