Zend_XmlRpc
is vulnerable to XML eXternal Entity (XXE) Injection attacks. The
SimpleXMLElement
class (SimpleXML PHP extension) is used in an insecure way to
parse XML data. External entities can be specified by adding a specific DOCTYPE
element to XML-RPC requests. By exploiting this vulnerability an application may
be coerced to open arbitrary files and/or TCP connections.
The Request
and Response
implementations in Zend_XmlRpc
were patched to
ensure libxml_disable_entity_loader()
is invoked prior to instantiating any
SimpleXML
objects. This disables XXE parsing, and thus disables the attack
vector.
This patch has been applied starting in versions 1.11.12 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and will be included starting with the 2.0.0beta5 release).
If you are using either Zend_XmlRpc_Server
or Zend_XmlRpc_Client
in your
projects, we recommend immediately upgrading to 1.11.12 or greater.
Additional attack vectors were identified in Zend_Dom
, Zend_Feed
, and
Zend_Soap
, and patched in an identical manner.
The patches for these components are included in versions 1.11.13 and 1.12.0 of Zend Framework, and ported to the upcoming version 2.0.0 development branch (released with 2.0.0rc4). If you are using any of the affected components, we recommend upgrading to 1.11.13 or greater immediately.
The Zend Framework team thanks the following for working with us to help protect its users:
Both from SEC Consult Vulnerability Lab (www.sec-consult.com).
Zend_Dom
,
Zend_Feed
, and Zend_Soap
Released 2012-06-22
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com